Solved

RPC over HTTPS in a single standalone exchange server that is not neither a GC/DC.

Posted on 2006-10-31
5
364 Views
Last Modified: 2008-01-09
I'm trying to setup an RPC over HTTPS on our stand alone exchange server.  It's not a GC or DC, its only an exchange server.
Exchange 2003 Enterprise SP2

-installed rpc over http proxy
-in ESM, selected RPC-HTTP back-end server
-configured RPC virtual directory in IIS, cleared anonymous, require SSL, 128 bit encryption. (for the default website, purchased third party CA certificate which is trusted)
-configured the exchange server registry to use the following ports:
 mail:6001-6002;mail.domain.com:6001-6002;mail:6004;mail.domain.com:6004
-outlook configured to use exchange proxy (Use this URL...:mail.domain.com, Connect using SSL only, Mutually authentiate..., Principal name for proxy server:msstd:mail.domain.com) with basic authentication.

Howerver, I'm unable to get this to work.
Does this scenario require any work on a GC (modifying the registry on GC for ncacn_http:6004)?  We don't manage the GC since it's done by another dept so if it does require a change, it'd be a pain.

Thanks.
 

0
Comment
Question by:ucsdprovost
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 17846535
Yes it does a change to the global catalog domain controller.
You will probably need some more entries in the registry as well, I usually include the domain controller in there.

http://www.amset.info/exchange/rpc-http.asp

Simon.
0
 

Author Comment

by:ucsdprovost
ID: 17846595
So need to actually modify the registry as below on the GC DC?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Create a new entry of type REG_MULTI_SZ
Name: NSPI Interface protocol sequences
Value: ncacn_http:6004

0
 
LVL 104

Expert Comment

by:Sembee
ID: 17846639
That looks like it.
If you have more than one GC/DC then you can make the change on both and reference both in the registry changes on the Exchange server.

Simon.
0
 
LVL 8

Assisted Solution

by:nitadmin
nitadmin earned 125 total points
ID: 17855154
I have two several questions.
1. Did you install a SSL certificate from a Public CA?
2. Did you configure your GC server?

Read this article very carefully, and pay attaention to what it says about configuring your GC server.
Most people who attempt to configure Exchange 2003 RPC over https feature fail to install a SSL certificate from a public CA and they don't even bother to configure the GC server.

Here are links to two webpages from one great website. It will tell you step by step what you need to do. Read it very carefully.
Campare the steps that it gives you and what you have done already. Follow his instructions very carefully and RPC over https will work.

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
http://www.petri.co.il/rpc_over_http_error_4013_after_windows_2003_sp1.htm

Another thing, if you have single domain forest. Make all your domain controllers are GC (global catalog) servers. This is done from active directory domains and trusts.

I also want to point out to you why this sentence is in BOLD on the first webpage. Make sure you configure the registry key on your GC servers. And also use the rpccfg tool to confirm the port settings like he shows you. Read this sentence very carefully. You will fail if you do not listen to what he is saying. "Configure all your global catalogs to use specific ports for RPC over HTTP for directory services"  quote by Daniel Petri.

Cheers,
NITADMIN
0
 

Author Comment

by:ucsdprovost
ID: 17855853
I just got it to work.  I must've missed something when I first did it.
I didn't need to do anything on GC though.
Probably it was setup with the necessary changes already.

Thanks.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question