• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 995
  • Last Modified:

Exchange - RPC over HTTP

I have a SBS 2003 (SP1) server at home on which I have been trying to setup RPC over HTTP according to several guides (www.petri.co.il, www.amset.info)

I have so far:

1) Updated exchange to SP2 (mainly for IMF)
2) Installed a certificate which matches the MX record for my domain
3) Configured the RPC virtual directory in IIS to use basic authentication and require SSL
4) Made the required registry changes (see below)
5) Selected RPC-HTTP Back-End Server in Exchange system manager
6) Configured a new outlook profile for HTTP
7) Forwarded ports 80 & 443 on the router to the SBS 2003 server

The servername is - MYSERVER
The domain is - MYDOMAIN.LOCAL
The MX record is - MAIL.MYDOMAIN.COM

I have configured the registry thusly:

myserver:6001-6002;myserver.mydomain.local:6001-6002;mail.mydomain.com:6001-6002;myserver:6004;myserver.mydomain.local:6004;mail.mydomain.com:6004

In the new outlook profile, I added an exchange server account to 'MYSERVER' entered my username and configured the HTTP section to connect via https://mail.mydomain.com with basic authentication.

When Outlook starts, it wont connect.

I can navigate to https://mail.mydomain.com/rpc and a username and password box appears, when I enter my credentials I get:

You are not authorized to view this page
You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server.

1) Is the above correct
2) Why wont it work!!??!!

Many thanks
0
Guy_Adams
Asked:
Guy_Adams
  • 19
  • 9
  • 9
2 Solutions
 
Dave RobinsonCommented:
I also get that I am not authorized to view this page with a working RPC setup.

The first thing I would say is that you need to install the certificate onto your client PC. (So get the certificate for mail.domain.com and right click, install to your Trusted Root Certificates)

Next check Outlook settings:

Exchange proxy Settings (Under More Settings, Connection Tab)
Https:// mail.yourdomain.com
Tick SSL Only, Tick Only connect to proxy servers that have ......
Tick On Fast Networks, Tick on Slow networks...

Choose Basic Authentication
----------------
0
 
Guy_AdamsAuthor Commented:
The certificate is installed, i let the machine decide where to store it, is this correct?

Also when opening Outlook I get the same username and password box as when I access https://mail.mydomain.com/rpc, does that happen with you?

Thanks for your response.
0
 
Olaf De CeusterCommented:
Don't know why you make this so difficult.
Firstly: Run the internet connection wizard: In server Management> To Do List> Point 2.
General info: http://support.microsoft.com/kb/825763
Enter mail.mydomain.com for FQDN for the certificate.
Example: http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm
Than run the remote access wizard: TO DO lIst . point 3. Enter mail.mydomain.com for FQDN
RPC /HTTP will be configured for you if you choose the correct options in the firewall section of the Internet connection wizard.
For this to work SBS has to be your DHCP server, Wins and DNS server.
Than log on to the RWW and in there you have a document you can follow to set up the outlook client.
"Connet email over the internet"
Follow this document and ...done.
No need for registry edits ,new profiles and other hard work.
Hope that helps,
Olaf
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Dave RobinsonCommented:
Yes that's right.
Does Outlook accept the username and password you enter? Or does it refuse 3 times and then gives up?

RPC is correctly working for it to prompt you with a username/password box, but perhaps the certificates are not correctly installed. I would try installing the certificate and manually selecting where to store. Make sure it goes into the Trusted Root Certificate Authorities.

Also make sure it is the Root certificate you are installing on your machine.
To check, open up OWA and login. Double click on the Certificate/Padlock icon at the bottom to view the certificate --> Goto Certification path.

You may have
Server
|-mail.domain.com

If so, Select the Server - And view certificate
Goto Details and Copy to file. Save this certificate, Install onto your machine, and then try again.
0
 
Guy_AdamsAuthor Commented:
If I run outlook /rpcdiag from command line, then enter the username and password, which is accepted. Then I get the 'unable to connect to the microsoft exchange server message'

I downloaded the cert from OWA and installed as you specified into the Trusted Root Certficate Authorities but still no joy.

Thanks
0
 
Dave RobinsonCommented:
Sorry, something I missed from the above post was in the Outlook 2003 config.

Exchange Proxy Settings:
Principle Name should be MSSTD:mail.domain.com

Just incase that makes a difference and you don't already have this set.
0
 
Guy_AdamsAuthor Commented:
Interestingly on this guide:

http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part2.html

It stats you should be able to access:

https://mail.mydomain.com/rpc/rpcproxy.dll

When I try this URL I get:

The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Upon closer inspection the file is where it should be and it shows in IIS Manager...? Part of the problem?

0
 
Guy_AdamsAuthor Commented:
Also I have had conflicting tutorials,

One stats that in the Exchange System Manager GUI you should set RPC over HTTP to: "RPC-HTTP Back-End Server"  and the other tutorial says you should leave it as: "not part of an exchange managed HTTP / RPC topology"

So which should I use? Also after changing this setting does the server need to be restarted?

Thanks
0
 
Dave RobinsonCommented:
Hi Guy,

Back, It does seem I can access the dll file, so thats possibly the best bet of troubleshooting with the permissions in IIS.
Also it should be set to "RPC-HTTP Back-End Server"

The server does not need to be restart, but dont' forget the registry settings would probably require a restart.
0
 
Guy_AdamsAuthor Commented:
Well I can navigate to the DLL both internally and externally and as usual the username and password box appears. After entering my username and password I then get:

The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Does this happen for you? If not what happens after you have entered your credentials?

Thanks for your help so far.
0
 
Dave RobinsonCommented:
For me when I enter my credentials, it prompts me to where I want to save the .dll file.
From the server can you browse to the file via internet explorer?
0
 
Guy_AdamsAuthor Commented:
No, i get the usual:

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Would it be possible for you to let me know what permissions are on the file and what security you have assigned in IIS?

It looks like this file is the issue, I hope.

0
 
Guy_AdamsAuthor Commented:
Can anyone advice me on the next course of action?

Something appears to be wrong with the RPCPROXY.DLL

Tomorrow I will try and reinstall the RPC over HTTP from add/remove windows components and then go through the tutorials again.

Any further adivce is greatly appreciated.
0
 
Olaf De CeusterCommented:
Guy,

Did you see my previous post. This is SBS and all this is setup for you.
Did you use the wizards?
Olaf
0
 
Dave RobinsonCommented:
Hi Guy,

Sorry i've been off for today - I will try and get a chance tomorrow to check our servers for the RPC settings. By all means try the way which olafdc suggests if you cannot wait.
0
 
Guy_AdamsAuthor Commented:
Olaf, I tried your suggestion but still get the same issue, it wont connect.

The SBS server in question had to have Exchange and IIS reinstall some time ago, do you think this has caused the issue? Everything else has been working fine, without any issues and the event logs give no clues as to why this rpcproxy doesnt seem to do what its meant to.

Any further suggestions?
0
 
Dave RobinsonCommented:
Guy,

RPC Settings for our working Exchange server:
RPC --> Authentication Methods: Integrated Windows Authentication and Basic Authentication, with the Default Domain & Realm Filled in (domain.com)

Permissions:
Administrators, Creator Owner and System - Full Control
Authenticated Users Read & Execute / List Folder Contents / Read
Server Operators - Modify/Read&Execute/List Folder Contents/Read/Write

Virtual Directory Tab
Local Path: C:\WINDOWS\System32\RpcProxy
(At Bottom) Execute Permissions: Scripts and Executables
0
 
Guy_AdamsAuthor Commented:
All my settings match yours and still the dreaded page not found.

I uninstalled RPC over HTTP from add/remove windows components, removed all the previously entered registry entries and deleted the virtual directories from IIS manager.

I then reinstalled RPC over HTTP, checked to ensure the IIS virtual directories are there then ran through the wizards as olaf suggested. On the remote access wizard, after clicking finished it went through the motions and errored just before the end, here is the rras log:

22/03/2007 12:09
C:\Program Files\Microsoft Windows Small Business Server\Networking\RRASWiz\wizrras.dll, version 5.2.2893.0
Calling CRRASCommit::CommitEx
Calling CRRASCommit::ValidatePropertyBag
pdispPPPBag->QueryInterface returned OK
PropertyBag 258da0
Reading property value for enabling Remote Access returned OK
bRemoteAccess = 1
Reading property value for VPN returned OK
bVPN = 1
Reading property value for RAS returned OK
bRAS = 0
Calling CRRASCommit::ValidateVPNProperties
Reading VPN Server Name returned OK
VPN Server Name is intranet.gascoines.com
Calling CRRASCommit::ValidateDHCPProperties
DHCP server is installed on the box
CRRASCommit::ValidateDHCPProperties returned OK
CRRASCommit::ValidateVPNProperties returned OK
CRRASCommit::ValidatePropertyBag returned OK
pdispPPPBag->QueryInterface returned OK
Pointer to the property bag 258da0
Calling CRRASCommit::CommitRRAS
Arguments:
PropertyBag 258da0
bRAS 0
bVPN 1
Getting the GUID of the private NIC returned OK
Private NIC Guid is {5BBD60F9-F23A-41A0-8D13-8187BD55B490}
Checking whether RRAS is already running returned OK
RRAS already running
Stopping RRAS returned OK
Installing RRAS returned OK
Dhcp server is installed and running on this box
Enabling DHCP client addressing returned OK
Configuring ports returned OK
Identifying the private NIC for RAS returned OK
Setting the default authentication methods returned OK
Disabling NETBIOS for RAS returned OK
Changing RRAS startup type to automatic returned OK
*** Configuring Remote Access Policy returned ERROR 80072030
Specifying error location returned OK
*** CRRASCommit::CommitRRAS returned ERROR 80072030
*** Committing RRAS returned ERROR 80072030
*** CRRASCommit::CommitEx returned ERROR 80072030

Tested https://mail.mydomain.com/rpc/rpcproxy.dll, I get the prompt for username and password and then guess what.... the dreaded page not found.

Where do I go from here?
0
 
Dave RobinsonCommented:
Hi Guy,

See this post for the 80072030 error you are getting at the bottom of that log:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21991685.html
0
 
Guy_AdamsAuthor Commented:
After a little more reasearch it appears this is because the MyBusiness OU isn't in Active Directory, I will get this OU back then come back when the wizard has completed.
0
 
Guy_AdamsAuthor Commented:
Well I have removed the SBS administration component and I will reinstall later when I can restart the server.

I will post back when completed.

Many thanks for your posts so far. Its much appreciated.
0
 
Olaf De CeusterCommented:
If you use the add user wizard in server Management your users will be put in the correct OU.
If you than follow the steps (all steps) in the TO DO List your RPC and many other things will work again.
Over and above you should join your workstations using the connectcomputer wizard.
This is why:http://msmvps.com/blogs/bradley/archive/2006/04/08/89925.aspx
Why don't you try it , won't take long.
This is assuming your server is handling DHCP, DNS and wins.
Olaf
0
 
Guy_AdamsAuthor Commented:
Olaf,

I reinstalled the administration component and SP1 for SBS 2003 early this morning to return all the missing OU's from Active Directory.

I then ran the CIECW and the Remote Connection wizard as you specified, all completed ok.... still cannot access Outlook over HTTP.

I'm fresh installing a WinXP pro pc now and will connect to network via connect computer.

I actually think all the machine's in this office have been connected via the connect computer component but to be sure i'll try with a freshly installed workstation just incase.

Thanks again.





0
 
Olaf De CeusterCommented:
1) Updated exchange to SP2 (mainly for IMF)
That's good
2) Installed a certificate which matches the MX record for my domain
You need to do this in the internet connection wizard. Delete any certificates that were not installed with wizard
3) Configured the RPC virtual directory in IIS to use basic authentication and require SSL
The wizard does that for you. You need the reverse what you did.
4) Made the required registry changes (see below)
Undo these . Wizard does this for you
5) Selected RPC-HTTP Back-End Server in Exchange system manager
Undo this. Let wizard do it.
6) Configured a new outlook profile for HTTP
Configure an existing client for http by following the article in RWW; Connect outlook over the internet
7) Forwarded ports 80 & 443 on the router to the SBS 2003 server.

Does RPC work internally?
Olaf
0
 
Guy_AdamsAuthor Commented:
Everything works internally without issues including RPC. Its just over HTTP it doesnt seem to want to work.

I will follow your instructions step by step then get back to you.

Thanks
0
 
Olaf De CeusterCommented:
Can you put the router in DMZ mode just to try?
Also are workstations: XP SP1 with hotfix 331320 or SP2?
Olaf
0
 
Guy_AdamsAuthor Commented:
All workstations XP Pro with SP2.

The relevant ports are open on the router.

Thanks
0
 
Guy_AdamsAuthor Commented:
Just to let you know, I have not had time to reverse the changes and re-run the wizards yet.

I will probably do so tomorrow morning.

Many thanks
0
 
Guy_AdamsAuthor Commented:
Well, I reverse all the changes as suggested, then followed the CIECW through, this time created a new certificate and allowing OWA and Outlook over the internet in the wizards options.

I then ran the Remote Access wizard (just to be sure)

After printing the 'Remote Work Webplace' document on configuring outlook over the internet, I disconnected my laptop and connected via a 3G data card.

I went through the RRW document and still cannot get connected.

I double checked the relevant ports on the router were forwarded to our server, 80 and 443 all ok. I can get OWA no problems, I just can't get RPC over HTTP to work.

Anyone have any suggestions on diagnostic for this configuration?

Thanks
0
 
Olaf De CeusterCommented:
I assume you used the Small Business server VPN connection to set up the initial config for exchange?
Also you need to IMPORT the certificate onto the local machine. This is the certificate prompt you get when initially connecting to RWW.
Olaf
0
 
Olaf De CeusterCommented:
You only need to install the certificate for machines NOT joined to the domain.
Olaf
0
 
Guy_AdamsAuthor Commented:
Olaf,

The computer was setup on the LAN using the http://servername/connectcomputer page on the SBS server. I then disconnect the network cable and connected to the internet via a 3G data card.

Thanks
0
 
Olaf De CeusterCommented:
In the Internet connection wizard what did you enter for the certificate?
To find out what to enter: Go to www.dnsreport.com and enter your external permanent Ip address. Whatever it resolves to should be entered as certificate.
Same in the Remote Access wizard.
Olaf
0
 
Guy_AdamsAuthor Commented:
I entered a FQDN; remote.mydomain.com which points to our WAN IP.

This is also the same in remote access wizard.

I can also use https://remote.mydomain.com/exchange to access OWA without issue.

Thanks for your help Olaf
0
 
Olaf De CeusterCommented:
I really need to have a look at this. If you can find a way to do that without infringing on this site's rules I'll gladly have a look.
Olaf
0
 
Guy_AdamsAuthor Commented:
Olaf,

If I award the points by splitting them, 70% to you, 30% to trhitc for his efforts.

You can then have a look at www.gnasupport.co.uk where there is an email address on which you can contact me, if you are prepared to do so I would be able to run a remote assistance session?

Thanks

0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 19
  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now