Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

RPC over https login failing - HTTP Error 401.3

Posted on 2006-11-15
9
Medium Priority
?
1,563 Views
Last Modified: 2012-05-05
I have a new 2003 single server exchange install. I am having no luck with RPC over https.
The server is installed in a the site domain with a seperater domain controller in each site.
the site with exchange has
mx1.domain.local - exhcange server
dc2.domain.local - domain controller (dns)

I have followed a heap of guides the only one that talks of RPC in a single exchange server - with a seperate dc.
http://www.amset.info/exchange/rpc-http-server.asp

In particular he mentions including the dc in the Validports entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy

In IIS I have set the rpc directory security - authentication to  basic and the default domain to domain.local

Anyway now to the problem
When I test the server in a browser on the LAN or the wan eg https://mx1/rpc
I get a prompt for a username and password however authentication is unsuccsessfull after three attempts I recieve a "HTTP Error 401.3"

I have tried a world of username password combinations with no luck.

owa is working fine externally.

Any ideas welcome.
0
Comment
Question by:btomkins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 17951760
Authentication failure on the /rpc virtual directory is normal. The test is to see if you get a certificate prompt or not.
You need to move on to the Outlook configuration. Using a normal domain client already configured for Exchange access (and working) add the addition settings for RPC over HTTPS. Restart Outlook and see what happens.

Simon.
0
 
LVL 1

Author Comment

by:btomkins
ID: 17951838
RPCdump has some access denied errors

dc2.domain.local has had the registry fix

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Type REG_MULTI_SZ
Name: NSPI Interface protocol sequences
Value: ncacn_http:6004


I notice
UUID:1544f5e0-613c-11d1-93df-00c04fd7bd09
how can I tell what server this is?
Thanks
Brian
========================================================
Querying Endpoint Mapper Database...

149 registered endpoints found.


Collecting Data....  This may take a while.

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

ProtSeq:ncacn_http

Endpoint:6002

NetOpt:

Annotation:MS Exchange Directory RFR Interface

IsListening:ACCESS_DENIED

StringBinding:ncacn_http:192.168.100.8[6002]

UUID:1544f5e0-613c-11d1-93df-00c04fd7bd09

ComTimeOutValue:RPC_C_BINDING_DEFAULT_TIMEOUT

VersMajor 1  VersMinor 0

rpcdump completed sucessfully after 1 seconds

0
 
LVL 1

Author Comment

by:btomkins
ID: 17951943
Sembee,
Thanks for your quick reply

Sorry I disagree on the bit where you say its normal to get access denied.

From my reading its normal to get a 403.2 error not a 402.3 error.

I get the certificate ok. I are useing self certificates although I dont believe that that is the problem.

Using outlook on the LAN with HTTPS on the domain is the same story it just keeps asking for a password.

Outlook work fine with standard TCPIP on the LAN.
owa also works fine from internal and external networks.



Thanks
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17953704
Second opinion,

401.3 is normal, all of my exchange servers report that (and they are all configured correctly for RPC/HTTPS)

When you say "I get the certificate ok" does that mean it comes up and you say "yes" to it?

If so, that is a problem right there

-red
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 17953706
Sembee,

Can you prune that log a bit please?  This thread hurts and it only has 4 posts! :)

-red
0
 
LVL 1

Author Comment

by:btomkins
ID: 17954032
red,

Sorry about the rpcdump - How do you prune a comment?

Dont the "IsListening:ACCESS_DENIED" lines mean something.

> When you say "I get the certificate ok" does that mean it comes up and you say "yes" to it?

When I first connect on a machine it Actually does come up and say it is not from company that I have chosen to trust.
After I install the certificate the warning no longer comes up when I conect.

I'm sorry if I have not been clear.

The problem is still that the username and password dialog keeps coming back! ie Authentication is failing
I only get the 401.3 error after I click cancel.

Thanks
Brian
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 17955216
You can't prune posts, but I can (as page editor) so that is what I have done.
The magic rule with log posts is to ask yourself would you read it? If not, then don't post it. If you report that you have the log, if there is likely to be anything of interest in there then an expert will ask you about it.

The first thing I always recommend with this feature is to use a commercial certificate rather than a home grown certificate. I tried to use a home grown certificate when I first started out with this feature and got failures. Switched to a home grown certificate and had it working in less than 20 minutes. For the US$20 (GoDaddy) or US$70 (RapidSSL) it costs for the certificate it well worth the investment compared to my time and it looks better from a deployment point of view.

401.3 is the same failure I get on my Exchange servers as well, and I am using RPC over HTTPS as I write.
It should prompt three times then fail.

Ensure that you have integrated and basic authentication enabled on the /rpc virtual directory in IIS Manager. Anonymous should not be enabled.

Simon.
0
 
LVL 1

Author Comment

by:btomkins
ID: 17955646
Thanks Simon,
I added the integrated authentication and now outlook https connections work on the LAN using the  external domain the exchange proxy settings.

I dont know why but it just wont work on my machine externally.
I am buying a certificate to see if thats it.

thanks again
Brian
0
 
LVL 1

Author Comment

by:btomkins
ID: 17974179

Well buying a certificate has made it work from the outside.
Thanks for your help.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question