Solved

Exchange - RPC over HTTP

Posted on 2007-03-20
37
942 Views
Last Modified: 2012-06-21
I have a SBS 2003 (SP1) server at home on which I have been trying to setup RPC over HTTP according to several guides (www.petri.co.il, www.amset.info)

I have so far:

1) Updated exchange to SP2 (mainly for IMF)
2) Installed a certificate which matches the MX record for my domain
3) Configured the RPC virtual directory in IIS to use basic authentication and require SSL
4) Made the required registry changes (see below)
5) Selected RPC-HTTP Back-End Server in Exchange system manager
6) Configured a new outlook profile for HTTP
7) Forwarded ports 80 & 443 on the router to the SBS 2003 server

The servername is - MYSERVER
The domain is - MYDOMAIN.LOCAL
The MX record is - MAIL.MYDOMAIN.COM

I have configured the registry thusly:

myserver:6001-6002;myserver.mydomain.local:6001-6002;mail.mydomain.com:6001-6002;myserver:6004;myserver.mydomain.local:6004;mail.mydomain.com:6004

In the new outlook profile, I added an exchange server account to 'MYSERVER' entered my username and configured the HTTP section to connect via https://mail.mydomain.com with basic authentication.

When Outlook starts, it wont connect.

I can navigate to https://mail.mydomain.com/rpc and a username and password box appears, when I enter my credentials I get:

You are not authorized to view this page
You do not have permission to view this directory or page due to the access control list (ACL) that is configured for this resource on the Web server.

1) Is the above correct
2) Why wont it work!!??!!

Many thanks
0
Comment
Question by:Guy_Adams
  • 19
  • 9
  • 9
37 Comments
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18755298
I also get that I am not authorized to view this page with a working RPC setup.

The first thing I would say is that you need to install the certificate onto your client PC. (So get the certificate for mail.domain.com and right click, install to your Trusted Root Certificates)

Next check Outlook settings:

Exchange proxy Settings (Under More Settings, Connection Tab)
Https:// mail.yourdomain.com
Tick SSL Only, Tick Only connect to proxy servers that have ......
Tick On Fast Networks, Tick on Slow networks...

Choose Basic Authentication
----------------
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18755378
The certificate is installed, i let the machine decide where to store it, is this correct?

Also when opening Outlook I get the same username and password box as when I access https://mail.mydomain.com/rpc, does that happen with you?

Thanks for your response.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18755437
Don't know why you make this so difficult.
Firstly: Run the internet connection wizard: In server Management> To Do List> Point 2.
General info: http://support.microsoft.com/kb/825763
Enter mail.mydomain.com for FQDN for the certificate.
Example: http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm
Than run the remote access wizard: TO DO lIst . point 3. Enter mail.mydomain.com for FQDN
RPC /HTTP will be configured for you if you choose the correct options in the firewall section of the Internet connection wizard.
For this to work SBS has to be your DHCP server, Wins and DNS server.
Than log on to the RWW and in there you have a document you can follow to set up the outlook client.
"Connet email over the internet"
Follow this document and ...done.
No need for registry edits ,new profiles and other hard work.
Hope that helps,
Olaf
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18755440
Yes that's right.
Does Outlook accept the username and password you enter? Or does it refuse 3 times and then gives up?

RPC is correctly working for it to prompt you with a username/password box, but perhaps the certificates are not correctly installed. I would try installing the certificate and manually selecting where to store. Make sure it goes into the Trusted Root Certificate Authorities.

Also make sure it is the Root certificate you are installing on your machine.
To check, open up OWA and login. Double click on the Certificate/Padlock icon at the bottom to view the certificate --> Goto Certification path.

You may have
Server
|-mail.domain.com

If so, Select the Server - And view certificate
Goto Details and Copy to file. Save this certificate, Install onto your machine, and then try again.
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18755486
If I run outlook /rpcdiag from command line, then enter the username and password, which is accepted. Then I get the 'unable to connect to the microsoft exchange server message'

I downloaded the cert from OWA and installed as you specified into the Trusted Root Certficate Authorities but still no joy.

Thanks
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18755522
Sorry, something I missed from the above post was in the Outlook 2003 config.

Exchange Proxy Settings:
Principle Name should be MSSTD:mail.domain.com

Just incase that makes a difference and you don't already have this set.
0
 
LVL 2

Assisted Solution

by:Dave Robinson
Dave Robinson earned 150 total points
ID: 18755533
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18755655
Interestingly on this guide:

http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part2.html

It stats you should be able to access:

https://mail.mydomain.com/rpc/rpcproxy.dll

When I try this URL I get:

The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Upon closer inspection the file is where it should be and it shows in IIS Manager...? Part of the problem?

0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18755724
Also I have had conflicting tutorials,

One stats that in the Exchange System Manager GUI you should set RPC over HTTP to: "RPC-HTTP Back-End Server"  and the other tutorial says you should leave it as: "not part of an exchange managed HTTP / RPC topology"

So which should I use? Also after changing this setting does the server need to be restarted?

Thanks
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18755738
Hi Guy,

Back, It does seem I can access the dll file, so thats possibly the best bet of troubleshooting with the permissions in IIS.
Also it should be set to "RPC-HTTP Back-End Server"

The server does not need to be restart, but dont' forget the registry settings would probably require a restart.
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18756600
Well I can navigate to the DLL both internally and externally and as usual the username and password box appears. After entering my username and password I then get:

The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Does this happen for you? If not what happens after you have entered your credentials?

Thanks for your help so far.
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18757605
For me when I enter my credentials, it prompts me to where I want to save the .dll file.
From the server can you browse to the file via internet explorer?
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18759633
No, i get the usual:

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Would it be possible for you to let me know what permissions are on the file and what security you have assigned in IIS?

It looks like this file is the issue, I hope.

0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18767667
Can anyone advice me on the next course of action?

Something appears to be wrong with the RPCPROXY.DLL

Tomorrow I will try and reinstall the RPC over HTTP from add/remove windows components and then go through the tutorials again.

Any further adivce is greatly appreciated.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18767979
Guy,

Did you see my previous post. This is SBS and all this is setup for you.
Did you use the wizards?
Olaf
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18768032
Hi Guy,

Sorry i've been off for today - I will try and get a chance tomorrow to check our servers for the RPC settings. By all means try the way which olafdc suggests if you cannot wait.
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18769792
Olaf, I tried your suggestion but still get the same issue, it wont connect.

The SBS server in question had to have Exchange and IIS reinstall some time ago, do you think this has caused the issue? Everything else has been working fine, without any issues and the event logs give no clues as to why this rpcproxy doesnt seem to do what its meant to.

Any further suggestions?
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18769843
Guy,

RPC Settings for our working Exchange server:
RPC --> Authentication Methods: Integrated Windows Authentication and Basic Authentication, with the Default Domain & Realm Filled in (domain.com)

Permissions:
Administrators, Creator Owner and System - Full Control
Authenticated Users Read & Execute / List Folder Contents / Read
Server Operators - Modify/Read&Execute/List Folder Contents/Read/Write

Virtual Directory Tab
Local Path: C:\WINDOWS\System32\RpcProxy
(At Bottom) Execute Permissions: Scripts and Executables
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Author Comment

by:Guy_Adams
ID: 18770653
All my settings match yours and still the dreaded page not found.

I uninstalled RPC over HTTP from add/remove windows components, removed all the previously entered registry entries and deleted the virtual directories from IIS manager.

I then reinstalled RPC over HTTP, checked to ensure the IIS virtual directories are there then ran through the wizards as olaf suggested. On the remote access wizard, after clicking finished it went through the motions and errored just before the end, here is the rras log:

22/03/2007 12:09
C:\Program Files\Microsoft Windows Small Business Server\Networking\RRASWiz\wizrras.dll, version 5.2.2893.0
Calling CRRASCommit::CommitEx
Calling CRRASCommit::ValidatePropertyBag
pdispPPPBag->QueryInterface returned OK
PropertyBag 258da0
Reading property value for enabling Remote Access returned OK
bRemoteAccess = 1
Reading property value for VPN returned OK
bVPN = 1
Reading property value for RAS returned OK
bRAS = 0
Calling CRRASCommit::ValidateVPNProperties
Reading VPN Server Name returned OK
VPN Server Name is intranet.gascoines.com
Calling CRRASCommit::ValidateDHCPProperties
DHCP server is installed on the box
CRRASCommit::ValidateDHCPProperties returned OK
CRRASCommit::ValidateVPNProperties returned OK
CRRASCommit::ValidatePropertyBag returned OK
pdispPPPBag->QueryInterface returned OK
Pointer to the property bag 258da0
Calling CRRASCommit::CommitRRAS
Arguments:
PropertyBag 258da0
bRAS 0
bVPN 1
Getting the GUID of the private NIC returned OK
Private NIC Guid is {5BBD60F9-F23A-41A0-8D13-8187BD55B490}
Checking whether RRAS is already running returned OK
RRAS already running
Stopping RRAS returned OK
Installing RRAS returned OK
Dhcp server is installed and running on this box
Enabling DHCP client addressing returned OK
Configuring ports returned OK
Identifying the private NIC for RAS returned OK
Setting the default authentication methods returned OK
Disabling NETBIOS for RAS returned OK
Changing RRAS startup type to automatic returned OK
*** Configuring Remote Access Policy returned ERROR 80072030
Specifying error location returned OK
*** CRRASCommit::CommitRRAS returned ERROR 80072030
*** Committing RRAS returned ERROR 80072030
*** CRRASCommit::CommitEx returned ERROR 80072030

Tested https://mail.mydomain.com/rpc/rpcproxy.dll, I get the prompt for username and password and then guess what.... the dreaded page not found.

Where do I go from here?
0
 
LVL 2

Expert Comment

by:Dave Robinson
ID: 18770673
Hi Guy,

See this post for the 80072030 error you are getting at the bottom of that log:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_21991685.html
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18770682
After a little more reasearch it appears this is because the MyBusiness OU isn't in Active Directory, I will get this OU back then come back when the wizard has completed.
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18770845
Well I have removed the SBS administration component and I will reinstall later when I can restart the server.

I will post back when completed.

Many thanks for your posts so far. Its much appreciated.
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18774468
If you use the add user wizard in server Management your users will be put in the correct OU.
If you than follow the steps (all steps) in the TO DO List your RPC and many other things will work again.
Over and above you should join your workstations using the connectcomputer wizard.
This is why:http://msmvps.com/blogs/bradley/archive/2006/04/08/89925.aspx
Why don't you try it , won't take long.
This is assuming your server is handling DHCP, DNS and wins.
Olaf
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18778252
Olaf,

I reinstalled the administration component and SP1 for SBS 2003 early this morning to return all the missing OU's from Active Directory.

I then ran the CIECW and the Remote Connection wizard as you specified, all completed ok.... still cannot access Outlook over HTTP.

I'm fresh installing a WinXP pro pc now and will connect to network via connect computer.

I actually think all the machine's in this office have been connected via the connect computer component but to be sure i'll try with a freshly installed workstation just incase.

Thanks again.





0
 
LVL 22

Accepted Solution

by:
Olaf De Ceuster earned 350 total points
ID: 18779596
1) Updated exchange to SP2 (mainly for IMF)
That's good
2) Installed a certificate which matches the MX record for my domain
You need to do this in the internet connection wizard. Delete any certificates that were not installed with wizard
3) Configured the RPC virtual directory in IIS to use basic authentication and require SSL
The wizard does that for you. You need the reverse what you did.
4) Made the required registry changes (see below)
Undo these . Wizard does this for you
5) Selected RPC-HTTP Back-End Server in Exchange system manager
Undo this. Let wizard do it.
6) Configured a new outlook profile for HTTP
Configure an existing client for http by following the article in RWW; Connect outlook over the internet
7) Forwarded ports 80 & 443 on the router to the SBS 2003 server.

Does RPC work internally?
Olaf
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18780019
Everything works internally without issues including RPC. Its just over HTTP it doesnt seem to want to work.

I will follow your instructions step by step then get back to you.

Thanks
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18780132
Can you put the router in DMZ mode just to try?
Also are workstations: XP SP1 with hotfix 331320 or SP2?
Olaf
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18782061
All workstations XP Pro with SP2.

The relevant ports are open on the router.

Thanks
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18800158
Just to let you know, I have not had time to reverse the changes and re-run the wizards yet.

I will probably do so tomorrow morning.

Many thanks
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18808837
Well, I reverse all the changes as suggested, then followed the CIECW through, this time created a new certificate and allowing OWA and Outlook over the internet in the wizards options.

I then ran the Remote Access wizard (just to be sure)

After printing the 'Remote Work Webplace' document on configuring outlook over the internet, I disconnected my laptop and connected via a 3G data card.

I went through the RRW document and still cannot get connected.

I double checked the relevant ports on the router were forwarded to our server, 80 and 443 all ok. I can get OWA no problems, I just can't get RPC over HTTP to work.

Anyone have any suggestions on diagnostic for this configuration?

Thanks
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18813041
I assume you used the Small Business server VPN connection to set up the initial config for exchange?
Also you need to IMPORT the certificate onto the local machine. This is the certificate prompt you get when initially connecting to RWW.
Olaf
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18813162
You only need to install the certificate for machines NOT joined to the domain.
Olaf
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18814754
Olaf,

The computer was setup on the LAN using the http://servername/connectcomputer page on the SBS server. I then disconnect the network cable and connected to the internet via a 3G data card.

Thanks
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18814785
In the Internet connection wizard what did you enter for the certificate?
To find out what to enter: Go to www.dnsreport.com and enter your external permanent Ip address. Whatever it resolves to should be entered as certificate.
Same in the Remote Access wizard.
Olaf
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18814970
I entered a FQDN; remote.mydomain.com which points to our WAN IP.

This is also the same in remote access wizard.

I can also use https://remote.mydomain.com/exchange to access OWA without issue.

Thanks for your help Olaf
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 18815049
I really need to have a look at this. If you can find a way to do that without infringing on this site's rules I'll gladly have a look.
Olaf
0
 
LVL 2

Author Comment

by:Guy_Adams
ID: 18817151
Olaf,

If I award the points by splitting them, 70% to you, 30% to trhitc for his efforts.

You can then have a look at www.gnasupport.co.uk where there is an email address on which you can contact me, if you are prepared to do so I would be able to run a remote assistance session?

Thanks

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now