[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

RPC over HTTP just started failing...

I have just setup RPC over HTTP and I had it connected externally yesterday and I sent and received e-mail, but now for some reason it is giving me the message that it can't connect to the Exchange server.

If I enter https://server.domain.com/rpc OR http://server.domain.com/rpc it will prompt me like it should and when I fill in the credentials it gives me the 403.2 error as expected.
In the account settings I have basic authentication on, with server.domain.com as the proxy and msstd:server.domain.com below this.
The certificates are working too as the rpc and access to OWA shows.
when I go to the run command and put in 'outlook /rpcdiag' it just says connecting for a while and then disconnects.

Like I said, this was all working last night and it was connecting over HTTPS like it's supposed to.
The only thing I can think of is that our ISP is somehow interfering here, but then they would have to block ports 80 or 443 wouldn't they?

Does anyone have any idea what might cause this?
0
wlandymore
Asked:
wlandymore
  • 11
  • 5
1 Solution
 
wlandymoreAuthor Commented:
I've also tried the RPCping utility and it came back successful when I put in the Exchange server and the proxy.
I got:

sending ping to server
Response from server received: 200
Pinging successfully completed in 484 ms


0
 
wlandymoreAuthor Commented:
one more thing....

when I enter the server name in the account as I did before and then the username and click the check name button it won't underline them like it did previously.
If I was just creating the account that would be fine because the necessary SSL settings and proxy settings wouldn't be there, but they are when I'm doing this.
I just don't know what's preventing Outlook from making the connection to the Exchange server to check the name. The ports for the RPC over HTTP are open through the firewall, the registry settings are there, the certificates are there and it worked previously.

I haven't changed anything....why wouldn't I be able to connect to exchange to verify the account and server name?
Also, it seems strange that when I open outlook with the outlook /rpcdiag command that it prompts me immediately for the username and password. It seems like it's making a connection there somehow because it wants verification.....this is crazy.
0
 
VahikCommented:
well maybe if it is an xp u should check to see if firewall is enabled...or ur AV and Antispam may also play a role in ur problem....
u could also try creating anothet outlook profile and see if that would help u solve ur problem...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
SembeeCommented:
Are you doing this from inside or outside your network?

If you are doing it from outside, try it from inside. Testing the feature from outside puts too many variables in to the mix which would make diagnosing the problem difficult.

I have recently adjusted my setup technique - and may update the web site to reflect this. I now setup Outlook in the normal way first. Only once the account is working correct do I convert it to use RPC/HTTPS. I have had less problems that way.

Simon
Exchange MVP
0
 
wlandymoreAuthor Commented:
okay I went in today and tried it from the inside. It worked right away although there were two things to note.
When I ran it with outlook /rpcdiag this is the output:

server.domain.com       Directory       Broadcom...       TCP/IP       Established        6/2
server.domain.com       Mail              Broadcom...       HTTPS       Established        51/0
server.domain.com       Directory       Broadcom...       TCP/IP       Established        3/2
server.domain.com       Mail              Broadcom...       HTTPS       Established        12/0
server.domain.com       Mail              Broadcom...       HTTPS       Established        55/0
server.domain.com       Mail              Broadcom...       HTTPS       Established        2/0

The two Directory entries are TCP/IP and I thought they were ALL supposed to be HTTPS, and this is the only row that show failures with 6/2 and 3/2. All the other rows are showing 0 for failures.

Should I be changing something to get the Directory rows to show up as HTTPS?
0
 
wlandymoreAuthor Commented:
just for reference....Under the IIS - default web site properties, I should have the Basic authentication turned on and anonymous turned off shouldn't I?
0
 
SembeeCommented:
It cannot connect to a domain controller for authentication. It is then failing over to TCP/IP and is working.

This means you need to look at what DC is being used for authentication.

Try removing the RPC/HTTPS settings from Outlook and then starting Outlook with the same /rpcdiag switch. This will show you which DC is being used for authentication of a regular TCP/IP client.
If that is a different DC to the one that you are pointing RPC/HTTPS to, then that could indicate where the problem is.

Simon.
0
 
wlandymoreAuthor Commented:
It seems to be going to both our DC's. If I add the DC registry setting to the second DC will that allow for this behavior?
0
 
SembeeCommented:
As long as both DCs are Windows 2003 global catalogs then that should be fine.
Don't forget to add the registry entry on the other DC itself.

Simon.
0
 
wlandymoreAuthor Commented:
okay. This 'other' DC is a 2000 DC which is soon going to be demoted and brought back as a 2003 box.
If it's 2000 do you need any registry entry on the box or can you just leave it alone?
0
 
wlandymoreAuthor Commented:
I put in the 2003 DC in the Exchange server's registry and then made sure that the 6004 entry was on the 2003 DC, so there's nothing to do with the 2000 DC in there, but now it only has the 2000 DC in the list for 'Directory' when I run the outlook /rpcdiag.

This 2000 DC was the original DC and then the 2003 one was brought up along side. All the roles have been transfered to the 2003 one, but for some reason it's still pointing to the 2000 one when it connects.
0
 
wlandymoreAuthor Commented:
it may have been the fact that the old 2000 box was still a GC. I removed this and retested and it seems to be only looking to the 2003 box.

thanks for all the help.
0
 
wlandymoreAuthor Commented:
one last thing....

If I switch it back to the HTTPS settings, should it use HTTPS for all of them?
Even though it is using the 2003 DC I still see TCP/IP in the Directory category...
0
 
SembeeCommented:
A windows 2000 DC cannot be the DC/GC for RPC/HTTPS. It must be a Windows 2003 GC/DC. Therefore don't point the registry entries at the Windows 2000 DC - it will not work.

When it is working, they should all be https. You can see a screenshot of a working solution here: http://www.amset.info/exchange/rpc-http-diag.asp

Simon.
0
 
wlandymoreAuthor Commented:
even though I have it pointed at the 2003 DC/GC only, when I run outlook /rpcdiag I still get the TCP/IP in there.
I have the HTTPS enabled per your doc on your site, I have only basic and integrated on the RPC directory.

But for some reason it still tries over TCP/IP. This is trying from the inside. If I do it from the outside it will show --- in the TCP HTTPS category and then eventually it will fail. I get the feeling this is for the same reason with the TCP/IP but I just don't know how to solve it.
0
 
wlandymoreAuthor Commented:
Got it!!

I can't believe that this was DNS, but there we go.
It turns out that someone had taken out one of the DNS server entries in the TCP/IP properties of the Exchange server. It was pointing to the old 2000DC for it's DNS.
I found this out after a successful demotion but then Exchange started prompting people for passwords and failing miserably. After I took out the old DNS entry put in the new one it all started working and showing the HTTPS for all of them.

thanks a lot Sembee for all your help!
0
 
SembeeCommented:
Excellent. glad that you got it resolved.

Simon.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 11
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now