Solved

RPC-over-HTTPS: Can't get past Outlook authentication popup.

Posted on 2007-03-22
12
1,017 Views
Last Modified: 2012-08-14
I have a single-server environment running Small Business Server 2003 Enterprise.

I'm trying to enable RPC-over-HTTPS for Outlook over the Internet.

I enabled the RPC proxy through the Server Management snap-in and then went through this (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm) guide to get everything properly configured.

I have a valid third-party SSL certificate with the correct FQDN, I am passing ports 80 and 443 through the (external) firewall, Outlook Web Access works just fine.

The problem that I am having is that when I try to connect with the Outlook client, I can't get past authentication.  I get a regular IE-style popup saying "Connecting to <servername.internaldomain.local>" and asking for the username and password.  I've tried every variation (username and pass, domain\username and pass, username@domain.local and pass) with no luck.  It just continues to ask for authentication.

When I run Outlook with the /rpcdiag switch, the only entry in the popup window is "Server name: servername; Type: Directory; Status: Connecting" with nothing else.

I can't get anywhere past this point.

I've tried it over the LAN and WAN with the same results, so I don't believe this is a firewall issue.

Thanks.
0
Comment
Question by:titan6400
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18774735
Is this a single Exchange server enviroment?

Have a look at this.
http://www.msexchange.org/tutorials/Implementing-RPC-over-HTTPS-single-Exchange-Server-2003-environment.html

Check the permissions on the RPC virtual directory in IIS
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part2.html
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 18774749
Is the certificate installed on the PC or trusted?  My understanding is you have to get this 100% or it will fail, with no real indication of why it's failing.  Try browsing to https://SERVER_FQDN and see if a certificate warning/accept prompt pops up, if it does you have a problem because Outlook can't do the "Click OK" that you do to get past this.

Sembee has some great articles on his site, specifically http://amset.info/exchange/rpc-http.asp, I'd recommend a look and see if you've maybe missed something.
0
 

Author Comment

by:titan6400
ID: 18775003
Yes, this is a single-server environment.

The cert is good and I get no cert warnings when going through OWA or going to https://fqdn/rpc.

I'm looking through the links you guys gave, thanks.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:titan6400
ID: 18775484
I looked through all of those links and I've already tried all of those things (but I still double-checked.)

Thanks anyway.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775526
RPC over HTTPS is one of those features that either works or it doesn't.

Where I get servers where it doesn't work, I tend to remove the RPC Proxy service and then reinstall it. I then use my own registry settings, applying both the Exchange and domain controller settings to the same box. Using my own registry settings (amset.info) I have a 100% success rate.

Simon.
0
 

Author Comment

by:titan6400
ID: 18776294
OK well I did as you suggested and started from scratch and followed the amset.info instructions.

It seems to be working from machines on the LAN now (rpcdiag indicates connections via HTTPS only), but the same problem exists off the LAN.  I just get the popup to enter credentials, which it never accepts, and rpcdiag doesn't show anything being connected at all.

Do you need any ports beyond 443 to be open on the firewall?  Any other troubleshooting ideas?
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18776416
443 should be the only port needed.
0
 

Author Comment

by:titan6400
ID: 18776676
I'm playing with the rpcping util now.  From on the LAN, I tried running this command:

rpcping -t ncacn_http -s exchange.server.local -o RpcProxy=fqdn.tld -P "<user>,<domain>,*" -I "<user>,<domain>,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none

and got back:

RPCPinging proxy server fqdn.tld with Echo Request Packet
Sending ping to server
Response from server received: 401
Client is not authorized to ping RPC proxy
Ping failed.

I'm honestly not completely sure what to make of that, but if that helps anyone see what the problem is...
0
 
LVL 10

Assisted Solution

by:MATTHEW_L
MATTHEW_L earned 100 total points
ID: 18777881
Have you checked the authentication on the RPC virtual directory.  Make sure that basic authentication is checked.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
ID: 18778144
The common problem I see is where there is an authentication mismatch.

In IIS Manager, on the /rpc virtual directory, ensure that both integrated and basic authentication is enabled and anonymous is disabled.

In Outlook, if the machine is a member of the same domain as the Exchange server, use NTLM Authentication. If it is not, then use Basic Authentication.

Simon.
0
 

Author Comment

by:titan6400
ID: 18780502
Well, it was permissions, but not like you'd think.

The IP restrictions were set on that directory to deny anything outside the local subnet.  Why, I don't know, but that's what the problem was.

All is well now.

I accepted sembee with the majority of the points because before he suggested to reinstall, it wasn't working from inside or outside the network and MATTHEW L with an assist since he was also pointing towards a permissions problem.

Thanks, guys.
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18780532
Thanks very much.  Glad it is working.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question