Solved

Problems diagnosing RPC over HTTP setup

Posted on 2004-10-25
657 Views
Last Modified: 2007-12-19
Hi,

I am having problems working out how to get RPC over HTTP working. This is my set up....

Single Server Enviroment
1 SBS with a static address. The server is running AD, DC and exchange, all client machines get there IP Address from another DHCP server.
I have installed the RPC over HTTP networking components in windows add/remove components
I have obtained and published certificates
I have then gone into the IIS, RPC folders properties, Directory Security, Authentication and access control, cleared enable anonymous access and selected basic authentication (password is sent in clear text). Then under Secure Communications, i have checked requires SSL & 128 bit encryption.

I am using a windows XP home client to connect to the server, which has the RPC hotfix installed. When i go to (for exmaple) https://mail.contoso.com/rpc i get the, you are about to view pages over a secure connection. I type in my user name and password and i get the following error:

http error 403.2 - Forbidden: Read access is denied.

Which is apparently the expected behavior.

When i try and connect from a client machine using the outlook /rpcdiag command it prompts me for my password and in the exchange server connetcion status window are four entries. One for Directory, Referral, Mail and Public folders. ALL just have three dashes --- in the conn column. And they all keep disconnection and connecting. outlook runs slow. It has not collected any of the emails from the server and when i press send and recieve i get the error 0x80040115

Any ideas anyone?




0
Question by:rcmclull
    20 Comments
     
    LVL 104

    Expert Comment

    by:Sembee
    Are you trying to get this to work on the same network as the Exchange server? The usual rule of thumb is to get it working on the network, then move it off.

    Having just checked a working configuration, you need to have integrated and basic authentication enabled.
    When you configured the Outlook client, did you enable it basic or NTLM authentication?

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Hi,

    thanks fro getting back so quick.

    I am not trying on the same network at the moment. I have tried to do it from a different network from the start. Point taken about that - maybe a good idea to try that first.

    When you say integrated and basic authentication enabled - where shall i check that i have this on?

    For the outlook clients i have been setting it to basic authentication.
    Another point to make is that i have been trying this with cache mode checked - if i dont check it i dont get hardly any activity in exchange status screen.

    It seems like i am soo close but no cigar.

    regards

    Rich
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    You must try it on your own network first, as this will ensure that it is working correctly. You have jumped too far ahead.

    Switch the Outlook client to NTLM authentication.

    As for the authentication, on the /rpc virtual folder, directory security, authentication and access control.
    Another good rule is not to fiddle with the IIS configuration. Exchange sets up everything that it requires during the install. All you need to do is install the certificate and you are away.

    Is the certificate a purchased one or a homegrown one?

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Certificate's are home grown ones, which i have installed on the client into the trusted root section. I am pretty sure that is working correctly.

    I didnt have integrated authentication checked. I have checked it now.

    I have tried switching the outlook client to NTLM but its giving the same results.

    Is your working model all on one server?
    Anything i should be aware of when setting it up on the LAN ?

    Regards

    richard
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    I have done it with single and dual server - currently have both in production.
    My usual recommendation for a successful RPC/HTTP is to purchase a certificate. FreeSSL are doing them very cheaply at the moment, and it resolves so many problems.

    Setting it up on the LAN is the same as what you have been doing now, except you must use rpcdiag to verify that the connection is going over https and not tcp/ip.

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Hi,

    I am working on the LAN side now (XP pro/ server pack2) - and it is connecting over TCP/IP not HTTPS. I have had to make some changes to get it to work; I had to swap the fqdn for its IP address because the fqdn does not work from inside the network.

    Also, the homegrown certificate doesnst match the address now because i created one for mail.domain.uk.com and i obviously cant get to that address so when i type my internal address 192.168.23.100, i get the, you are about to enter a secure site but with warning on the third bullet point. I'm also NOT getting the same results for when i do /rpc - i am just getting a blank web page now.

    HELP !

    regards

    rich


    0
     

    Author Comment

    by:rcmclull
    Hi again,

    Not sure if what i have done is ok but - i have edited the HOST file on the computer that i am on, so now when i go to mail.domain.uk.com it directs it to the internal IP address. Now when i go to the https://mail.domain.uk.com i dont get any certificate errors like before. I just get the padlock in the bottom right. The only thing that is still not the same as before is when i go to the /rpc directory - i still get a black webpage. whereas out side the network, it works fine??!!

    Any help would be greatfull
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    I wouldn't advise using a hosts file. If you take the machine outside of the network it will not resolve the name correctly.
    What you need to do is setup an internal DNS zone for domain.uk.com. Create a new host called mail and enter the internal IP address. As long as your servers and clients are configured to look at internal DNS servers then the name resolution will work correctly.

    Take a small step backwards. Go to the server itself and enter the full name as per the certificate and then /rpc . Do you still get a blank screen?

    Has Exchange been upgraded to SP1? Are you configuring RPC/HTTPS via the GUI (SP1 only) or via registry changes?

    Simon.
    0
     

    Author Comment

    by:rcmclull
    thanks for getting back again Simon.

    I am using two different machines to do the testing on - but ok, i will change the DNS now as well so it looks up the FQDN properly. I would have to do it anyway once i get this working.

    NO /RPC doesnt work on the server. But it works outside the network?!?

    When you say configuring RPC/HTTPS via a GUI - where is this GUI? i havent made any registry changes, thats a last resort.

    Pardon my ignorance, but i cant remember where to find out what service pack it has got.

    I went into exchange system manager and help and about and it says version 6.5.6944.0

    regards

    rich
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    You only get the GUI if you have installed Service Pack 1 for Exchange 2003. It doesn't sound like you have the service pack.
    Verify in ESM, Admin Groups, <your admin group>, Servers. Right click on the server and choose Properties.

    If it is service packed, then it will say something like "Version 6.5 (Build 7726.6: Service Pack 1)".

    It depends if you want to service pack Exchange or not (will require some downtime while the update runs).
    If not, then there are a pile of registry changes required to configure RPC/HTTPS. I have outlined the entire list on my web site: http://www.amset.info/exchange/rpc-server.asp

    If you do decide to SP the Exchange server then there is a new GUI install which does most of the configuration for you.
    It is in the same place that I outlined above for checking the server, on a new tab called "RPC-HTTP".

    Can't really go much further forward until known which route you are taking.

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Bugger - i dont have Service Pack 1 installed. :(

    Right, will get it put on ASAP and get back to you.

    Simon, thanks. You have been very helpful - have a nice day.

    Rich
    0
     

    Author Comment

    by:rcmclull
    Hi,

    I have now installed service pack 1 and i now have the RPC/HTTPS GUI. Should i be selecting the option, create a backend sever? I then get a warning that no front end server configured.

    What do i do next?
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    I am working on three or four RPC/HTTPS issues here on EE at the moment, including this one.
    Almost all are identical - it is just unfortuante all of them are happening at the same time, which limits research time.

    At the moment (I am going to play around with it a bit more tomorrow (Friday) and over the weekend on a test bed), it looks like in a single server still requires the registry changes.
    Microsoft prefer you to have it running on a frontend/backend scenario - and as such a single server scenario hasn't really been addressed. It is odd that this is so difficult.

    I am going to look at the latest MS white papers tomorrow to see whether the advice has been changed. Before SP1 it was easy (in that it required registry changes). Now it is if anything more difficult if you are not doing in the "Microsoft way".

    If anyone else wants to jump in here, feel free.

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Hi again,

    Yeah I have seen your posts on some of the other articles on EE. I am starting to think registry changes!

    One thing I have noticed is when reading round the subject is when using the RPC/HTTP GUI and checking the create a backend server option. It warns me that there is no front-end server configured, and it then goes back to the GUI. The article that I read said that another warning should follow imminently along the following lines:

    Server(s) does not have the correct ports configured for services being used by RPC-HTTP. To continue you must configure these ports. If you want these ports configured automatically, click ok.

    unfortunately I don't have any test servers, so I look forward to hearing your results.

    Regards

    Richard
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    This morning's initial testing makes me believe that a combination of the two is required. (yes I am in the UK and have had a quiet morning). I am currently building a new clean test environment to confirm (I love VMWARE).

    Therefore the process will be.

    1. Enable backend in the RPC-HTTP GUI, with the first error message.
    Note: the second error message is generated if the machine is a domain controller as well. Otherwise you only get one message.
    2. MS have said restart the computer - I haven't done this and it works, but it is probably advisable, especially if it is a domain controller.
    3. Registry changes. Some of these may have already been adjusted by the GUI, but it is probably a good idea to check the changes on both the Exchange server and the GC DC.
    Registry changes I have made are as per my web site already posted. I haven't adjusted the article on the web site just yet while I confirm this is the process. It appears to be working on one environment, I just need to repeat before I say that is the process.

    Try it - let me know if that does resolve the problem for you.

    Usual registry disclaimers apply and you do need to ensure that you meet the other requirements, including the purchased SSL certificate rather than a home grown one.

    Simon.
    0
     
    LVL 104

    Expert Comment

    by:Sembee
    Further testing has now confirmed that the process I outlined above is the way to get it working.
    I just need to find my other questions to let those people know as well.

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Right, thanks for that. I will go for the registry changes as per your website. A couple of things though before i go on and do what you have said:

    Firstly, my server is a DC so howcome i didnt get the second warning.
    Secondly, I have added the mail.abc.com to the dns host file now on the server so thats works ok. But still when i do /rpc i get a blank webpage. Externally to the network i get the MS error page that is expected.

    Will changing the registry sort out these proxy server problems?

    regards

    richard
    0
     
    LVL 104

    Accepted Solution

    by:
    I haven't built a single DC/Exchange box yet, so not sure why you didn't get the message. I believe in one document Microsoft say that you MAY get the message, so there could be circumstances when you don't.

    Changing the registry should resolve many problems, but it is still a mystery why you only get the error message externally.
    Can you see the rest of the Exchange web site (OWA for example) internally? Have you set any web site headers on the default web site, or anything else to IIS that would be different from the default "out of the box" build?

    Simon.
    0
     

    Author Comment

    by:rcmclull
    Hi,

    I have realised that i cant get the error message externally now either. So, upgrading exchnage to service pack 1 and enabling the backend server option has caused this.

    Yeah i can get OWA internally and externally fine. I havent made any other changes what so ever.

    Right, time to backup the registry and make some changes. Will let you know how i get on .....

    to be continued
    0
     

    Author Comment

    by:rcmclull
    Sorry it had taken so long to get back to you - I final got round to doing the registry changes - and........

    it only f*&$%£ works !!! your a star Simon, points are yours.

    one thing that i did have to change was setting for clients certificates, i previously had it set to require client certificates because i had created a home grown one. I followed your advise and got one from freessl and changed the setting to ingnore clients certificates.

    Thanks again
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now