rcmclull
asked on
Problems diagnosing RPC over HTTP setup
Hi,
I am having problems working out how to get RPC over HTTP working. This is my set up....
Single Server Enviroment
1 SBS with a static address. The server is running AD, DC and exchange, all client machines get there IP Address from another DHCP server.
I have installed the RPC over HTTP networking components in windows add/remove components
I have obtained and published certificates
I have then gone into the IIS, RPC folders properties, Directory Security, Authentication and access control, cleared enable anonymous access and selected basic authentication (password is sent in clear text). Then under Secure Communications, i have checked requires SSL & 128 bit encryption.
I am using a windows XP home client to connect to the server, which has the RPC hotfix installed. When i go to (for exmaple) https://mail.contoso.com/rpc i get the, you are about to view pages over a secure connection. I type in my user name and password and i get the following error:
http error 403.2 - Forbidden: Read access is denied.
Which is apparently the expected behavior.
When i try and connect from a client machine using the outlook /rpcdiag command it prompts me for my password and in the exchange server connetcion status window are four entries. One for Directory, Referral, Mail and Public folders. ALL just have three dashes --- in the conn column. And they all keep disconnection and connecting. outlook runs slow. It has not collected any of the emails from the server and when i press send and recieve i get the error 0x80040115
Any ideas anyone?
I am having problems working out how to get RPC over HTTP working. This is my set up....
Single Server Enviroment
1 SBS with a static address. The server is running AD, DC and exchange, all client machines get there IP Address from another DHCP server.
I have installed the RPC over HTTP networking components in windows add/remove components
I have obtained and published certificates
I have then gone into the IIS, RPC folders properties, Directory Security, Authentication and access control, cleared enable anonymous access and selected basic authentication (password is sent in clear text). Then under Secure Communications, i have checked requires SSL & 128 bit encryption.
I am using a windows XP home client to connect to the server, which has the RPC hotfix installed. When i go to (for exmaple) https://mail.contoso.com/rpc i get the, you are about to view pages over a secure connection. I type in my user name and password and i get the following error:
http error 403.2 - Forbidden: Read access is denied.
Which is apparently the expected behavior.
When i try and connect from a client machine using the outlook /rpcdiag command it prompts me for my password and in the exchange server connetcion status window are four entries. One for Directory, Referral, Mail and Public folders. ALL just have three dashes --- in the conn column. And they all keep disconnection and connecting. outlook runs slow. It has not collected any of the emails from the server and when i press send and recieve i get the error 0x80040115
Any ideas anyone?
ASKER
Hi,
thanks fro getting back so quick.
I am not trying on the same network at the moment. I have tried to do it from a different network from the start. Point taken about that - maybe a good idea to try that first.
When you say integrated and basic authentication enabled - where shall i check that i have this on?
For the outlook clients i have been setting it to basic authentication.
Another point to make is that i have been trying this with cache mode checked - if i dont check it i dont get hardly any activity in exchange status screen.
It seems like i am soo close but no cigar.
regards
Rich
thanks fro getting back so quick.
I am not trying on the same network at the moment. I have tried to do it from a different network from the start. Point taken about that - maybe a good idea to try that first.
When you say integrated and basic authentication enabled - where shall i check that i have this on?
For the outlook clients i have been setting it to basic authentication.
Another point to make is that i have been trying this with cache mode checked - if i dont check it i dont get hardly any activity in exchange status screen.
It seems like i am soo close but no cigar.
regards
Rich
You must try it on your own network first, as this will ensure that it is working correctly. You have jumped too far ahead.
Switch the Outlook client to NTLM authentication.
As for the authentication, on the /rpc virtual folder, directory security, authentication and access control.
Another good rule is not to fiddle with the IIS configuration. Exchange sets up everything that it requires during the install. All you need to do is install the certificate and you are away.
Is the certificate a purchased one or a homegrown one?
Simon.
Switch the Outlook client to NTLM authentication.
As for the authentication, on the /rpc virtual folder, directory security, authentication and access control.
Another good rule is not to fiddle with the IIS configuration. Exchange sets up everything that it requires during the install. All you need to do is install the certificate and you are away.
Is the certificate a purchased one or a homegrown one?
Simon.
ASKER
Certificate's are home grown ones, which i have installed on the client into the trusted root section. I am pretty sure that is working correctly.
I didnt have integrated authentication checked. I have checked it now.
I have tried switching the outlook client to NTLM but its giving the same results.
Is your working model all on one server?
Anything i should be aware of when setting it up on the LAN ?
Regards
richard
I didnt have integrated authentication checked. I have checked it now.
I have tried switching the outlook client to NTLM but its giving the same results.
Is your working model all on one server?
Anything i should be aware of when setting it up on the LAN ?
Regards
richard
I have done it with single and dual server - currently have both in production.
My usual recommendation for a successful RPC/HTTP is to purchase a certificate. FreeSSL are doing them very cheaply at the moment, and it resolves so many problems.
Setting it up on the LAN is the same as what you have been doing now, except you must use rpcdiag to verify that the connection is going over https and not tcp/ip.
Simon.
My usual recommendation for a successful RPC/HTTP is to purchase a certificate. FreeSSL are doing them very cheaply at the moment, and it resolves so many problems.
Setting it up on the LAN is the same as what you have been doing now, except you must use rpcdiag to verify that the connection is going over https and not tcp/ip.
Simon.
ASKER
Hi,
I am working on the LAN side now (XP pro/ server pack2) - and it is connecting over TCP/IP not HTTPS. I have had to make some changes to get it to work; I had to swap the fqdn for its IP address because the fqdn does not work from inside the network.
Also, the homegrown certificate doesnst match the address now because i created one for mail.domain.uk.com and i obviously cant get to that address so when i type my internal address 192.168.23.100, i get the, you are about to enter a secure site but with warning on the third bullet point. I'm also NOT getting the same results for when i do /rpc - i am just getting a blank web page now.
HELP !
regards
rich
I am working on the LAN side now (XP pro/ server pack2) - and it is connecting over TCP/IP not HTTPS. I have had to make some changes to get it to work; I had to swap the fqdn for its IP address because the fqdn does not work from inside the network.
Also, the homegrown certificate doesnst match the address now because i created one for mail.domain.uk.com and i obviously cant get to that address so when i type my internal address 192.168.23.100, i get the, you are about to enter a secure site but with warning on the third bullet point. I'm also NOT getting the same results for when i do /rpc - i am just getting a blank web page now.
HELP !
regards
rich
ASKER
Hi again,
Not sure if what i have done is ok but - i have edited the HOST file on the computer that i am on, so now when i go to mail.domain.uk.com it directs it to the internal IP address. Now when i go to the https://mail.domain.uk.com i dont get any certificate errors like before. I just get the padlock in the bottom right. The only thing that is still not the same as before is when i go to the /rpc directory - i still get a black webpage. whereas out side the network, it works fine??!!
Any help would be greatfull
Not sure if what i have done is ok but - i have edited the HOST file on the computer that i am on, so now when i go to mail.domain.uk.com it directs it to the internal IP address. Now when i go to the https://mail.domain.uk.com i dont get any certificate errors like before. I just get the padlock in the bottom right. The only thing that is still not the same as before is when i go to the /rpc directory - i still get a black webpage. whereas out side the network, it works fine??!!
Any help would be greatfull
I wouldn't advise using a hosts file. If you take the machine outside of the network it will not resolve the name correctly.
What you need to do is setup an internal DNS zone for domain.uk.com. Create a new host called mail and enter the internal IP address. As long as your servers and clients are configured to look at internal DNS servers then the name resolution will work correctly.
Take a small step backwards. Go to the server itself and enter the full name as per the certificate and then /rpc . Do you still get a blank screen?
Has Exchange been upgraded to SP1? Are you configuring RPC/HTTPS via the GUI (SP1 only) or via registry changes?
Simon.
What you need to do is setup an internal DNS zone for domain.uk.com. Create a new host called mail and enter the internal IP address. As long as your servers and clients are configured to look at internal DNS servers then the name resolution will work correctly.
Take a small step backwards. Go to the server itself and enter the full name as per the certificate and then /rpc . Do you still get a blank screen?
Has Exchange been upgraded to SP1? Are you configuring RPC/HTTPS via the GUI (SP1 only) or via registry changes?
Simon.
ASKER
thanks for getting back again Simon.
I am using two different machines to do the testing on - but ok, i will change the DNS now as well so it looks up the FQDN properly. I would have to do it anyway once i get this working.
NO /RPC doesnt work on the server. But it works outside the network?!?
When you say configuring RPC/HTTPS via a GUI - where is this GUI? i havent made any registry changes, thats a last resort.
Pardon my ignorance, but i cant remember where to find out what service pack it has got.
I went into exchange system manager and help and about and it says version 6.5.6944.0
regards
rich
I am using two different machines to do the testing on - but ok, i will change the DNS now as well so it looks up the FQDN properly. I would have to do it anyway once i get this working.
NO /RPC doesnt work on the server. But it works outside the network?!?
When you say configuring RPC/HTTPS via a GUI - where is this GUI? i havent made any registry changes, thats a last resort.
Pardon my ignorance, but i cant remember where to find out what service pack it has got.
I went into exchange system manager and help and about and it says version 6.5.6944.0
regards
rich
You only get the GUI if you have installed Service Pack 1 for Exchange 2003. It doesn't sound like you have the service pack.
Verify in ESM, Admin Groups, <your admin group>, Servers. Right click on the server and choose Properties.
If it is service packed, then it will say something like "Version 6.5 (Build 7726.6: Service Pack 1)".
It depends if you want to service pack Exchange or not (will require some downtime while the update runs).
If not, then there are a pile of registry changes required to configure RPC/HTTPS. I have outlined the entire list on my web site: http://www.amset.info/exchange/rpc-server.asp
If you do decide to SP the Exchange server then there is a new GUI install which does most of the configuration for you.
It is in the same place that I outlined above for checking the server, on a new tab called "RPC-HTTP".
Can't really go much further forward until known which route you are taking.
Simon.
Verify in ESM, Admin Groups, <your admin group>, Servers. Right click on the server and choose Properties.
If it is service packed, then it will say something like "Version 6.5 (Build 7726.6: Service Pack 1)".
It depends if you want to service pack Exchange or not (will require some downtime while the update runs).
If not, then there are a pile of registry changes required to configure RPC/HTTPS. I have outlined the entire list on my web site: http://www.amset.info/exchange/rpc-server.asp
If you do decide to SP the Exchange server then there is a new GUI install which does most of the configuration for you.
It is in the same place that I outlined above for checking the server, on a new tab called "RPC-HTTP".
Can't really go much further forward until known which route you are taking.
Simon.
ASKER
Bugger - i dont have Service Pack 1 installed. :(
Right, will get it put on ASAP and get back to you.
Simon, thanks. You have been very helpful - have a nice day.
Rich
Right, will get it put on ASAP and get back to you.
Simon, thanks. You have been very helpful - have a nice day.
Rich
ASKER
Hi,
I have now installed service pack 1 and i now have the RPC/HTTPS GUI. Should i be selecting the option, create a backend sever? I then get a warning that no front end server configured.
What do i do next?
I have now installed service pack 1 and i now have the RPC/HTTPS GUI. Should i be selecting the option, create a backend sever? I then get a warning that no front end server configured.
What do i do next?
I am working on three or four RPC/HTTPS issues here on EE at the moment, including this one.
Almost all are identical - it is just unfortuante all of them are happening at the same time, which limits research time.
At the moment (I am going to play around with it a bit more tomorrow (Friday) and over the weekend on a test bed), it looks like in a single server still requires the registry changes.
Microsoft prefer you to have it running on a frontend/backend scenario - and as such a single server scenario hasn't really been addressed. It is odd that this is so difficult.
I am going to look at the latest MS white papers tomorrow to see whether the advice has been changed. Before SP1 it was easy (in that it required registry changes). Now it is if anything more difficult if you are not doing in the "Microsoft way".
If anyone else wants to jump in here, feel free.
Simon.
Almost all are identical - it is just unfortuante all of them are happening at the same time, which limits research time.
At the moment (I am going to play around with it a bit more tomorrow (Friday) and over the weekend on a test bed), it looks like in a single server still requires the registry changes.
Microsoft prefer you to have it running on a frontend/backend scenario - and as such a single server scenario hasn't really been addressed. It is odd that this is so difficult.
I am going to look at the latest MS white papers tomorrow to see whether the advice has been changed. Before SP1 it was easy (in that it required registry changes). Now it is if anything more difficult if you are not doing in the "Microsoft way".
If anyone else wants to jump in here, feel free.
Simon.
ASKER
Hi again,
Yeah I have seen your posts on some of the other articles on EE. I am starting to think registry changes!
One thing I have noticed is when reading round the subject is when using the RPC/HTTP GUI and checking the create a backend server option. It warns me that there is no front-end server configured, and it then goes back to the GUI. The article that I read said that another warning should follow imminently along the following lines:
Server(s) does not have the correct ports configured for services being used by RPC-HTTP. To continue you must configure these ports. If you want these ports configured automatically, click ok.
unfortunately I don't have any test servers, so I look forward to hearing your results.
Regards
Richard
Yeah I have seen your posts on some of the other articles on EE. I am starting to think registry changes!
One thing I have noticed is when reading round the subject is when using the RPC/HTTP GUI and checking the create a backend server option. It warns me that there is no front-end server configured, and it then goes back to the GUI. The article that I read said that another warning should follow imminently along the following lines:
Server(s) does not have the correct ports configured for services being used by RPC-HTTP. To continue you must configure these ports. If you want these ports configured automatically, click ok.
unfortunately I don't have any test servers, so I look forward to hearing your results.
Regards
Richard
This morning's initial testing makes me believe that a combination of the two is required. (yes I am in the UK and have had a quiet morning). I am currently building a new clean test environment to confirm (I love VMWARE).
Therefore the process will be.
1. Enable backend in the RPC-HTTP GUI, with the first error message.
Note: the second error message is generated if the machine is a domain controller as well. Otherwise you only get one message.
2. MS have said restart the computer - I haven't done this and it works, but it is probably advisable, especially if it is a domain controller.
3. Registry changes. Some of these may have already been adjusted by the GUI, but it is probably a good idea to check the changes on both the Exchange server and the GC DC.
Registry changes I have made are as per my web site already posted. I haven't adjusted the article on the web site just yet while I confirm this is the process. It appears to be working on one environment, I just need to repeat before I say that is the process.
Try it - let me know if that does resolve the problem for you.
Usual registry disclaimers apply and you do need to ensure that you meet the other requirements, including the purchased SSL certificate rather than a home grown one.
Simon.
Therefore the process will be.
1. Enable backend in the RPC-HTTP GUI, with the first error message.
Note: the second error message is generated if the machine is a domain controller as well. Otherwise you only get one message.
2. MS have said restart the computer - I haven't done this and it works, but it is probably advisable, especially if it is a domain controller.
3. Registry changes. Some of these may have already been adjusted by the GUI, but it is probably a good idea to check the changes on both the Exchange server and the GC DC.
Registry changes I have made are as per my web site already posted. I haven't adjusted the article on the web site just yet while I confirm this is the process. It appears to be working on one environment, I just need to repeat before I say that is the process.
Try it - let me know if that does resolve the problem for you.
Usual registry disclaimers apply and you do need to ensure that you meet the other requirements, including the purchased SSL certificate rather than a home grown one.
Simon.
Further testing has now confirmed that the process I outlined above is the way to get it working.
I just need to find my other questions to let those people know as well.
Simon.
I just need to find my other questions to let those people know as well.
Simon.
ASKER
Right, thanks for that. I will go for the registry changes as per your website. A couple of things though before i go on and do what you have said:
Firstly, my server is a DC so howcome i didnt get the second warning.
Secondly, I have added the mail.abc.com to the dns host file now on the server so thats works ok. But still when i do /rpc i get a blank webpage. Externally to the network i get the MS error page that is expected.
Will changing the registry sort out these proxy server problems?
regards
richard
Firstly, my server is a DC so howcome i didnt get the second warning.
Secondly, I have added the mail.abc.com to the dns host file now on the server so thats works ok. But still when i do /rpc i get a blank webpage. Externally to the network i get the MS error page that is expected.
Will changing the registry sort out these proxy server problems?
regards
richard
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I have realised that i cant get the error message externally now either. So, upgrading exchnage to service pack 1 and enabling the backend server option has caused this.
Yeah i can get OWA internally and externally fine. I havent made any other changes what so ever.
Right, time to backup the registry and make some changes. Will let you know how i get on .....
to be continued
I have realised that i cant get the error message externally now either. So, upgrading exchnage to service pack 1 and enabling the backend server option has caused this.
Yeah i can get OWA internally and externally fine. I havent made any other changes what so ever.
Right, time to backup the registry and make some changes. Will let you know how i get on .....
to be continued
ASKER
Sorry it had taken so long to get back to you - I final got round to doing the registry changes - and........
it only f*&$%£ works !!! your a star Simon, points are yours.
one thing that i did have to change was setting for clients certificates, i previously had it set to require client certificates because i had created a home grown one. I followed your advise and got one from freessl and changed the setting to ingnore clients certificates.
Thanks again
it only f*&$%£ works !!! your a star Simon, points are yours.
one thing that i did have to change was setting for clients certificates, i previously had it set to require client certificates because i had created a home grown one. I followed your advise and got one from freessl and changed the setting to ingnore clients certificates.
Thanks again
Having just checked a working configuration, you need to have integrated and basic authentication enabled.
When you configured the Outlook client, did you enable it basic or NTLM authentication?
Simon.