Solved

RPC-over-HTTPS: Can't get past Outlook authentication popup.

Posted on 2007-03-22
12
1,020 Views
Last Modified: 2012-08-14
I have a single-server environment running Small Business Server 2003 Enterprise.

I'm trying to enable RPC-over-HTTPS for Outlook over the Internet.

I enabled the RPC proxy through the Server Management snap-in and then went through this (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm) guide to get everything properly configured.

I have a valid third-party SSL certificate with the correct FQDN, I am passing ports 80 and 443 through the (external) firewall, Outlook Web Access works just fine.

The problem that I am having is that when I try to connect with the Outlook client, I can't get past authentication.  I get a regular IE-style popup saying "Connecting to <servername.internaldomain.local>" and asking for the username and password.  I've tried every variation (username and pass, domain\username and pass, username@domain.local and pass) with no luck.  It just continues to ask for authentication.

When I run Outlook with the /rpcdiag switch, the only entry in the popup window is "Server name: servername; Type: Directory; Status: Connecting" with nothing else.

I can't get anywhere past this point.

I've tried it over the LAN and WAN with the same results, so I don't believe this is a firewall issue.

Thanks.
0
Comment
Question by:titan6400
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18774735
Is this a single Exchange server enviroment?

Have a look at this.
http://www.msexchange.org/tutorials/Implementing-RPC-over-HTTPS-single-Exchange-Server-2003-environment.html

Check the permissions on the RPC virtual directory in IIS
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part2.html
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 18774749
Is the certificate installed on the PC or trusted?  My understanding is you have to get this 100% or it will fail, with no real indication of why it's failing.  Try browsing to https://SERVER_FQDN and see if a certificate warning/accept prompt pops up, if it does you have a problem because Outlook can't do the "Click OK" that you do to get past this.

Sembee has some great articles on his site, specifically http://amset.info/exchange/rpc-http.asp, I'd recommend a look and see if you've maybe missed something.
0
 

Author Comment

by:titan6400
ID: 18775003
Yes, this is a single-server environment.

The cert is good and I get no cert warnings when going through OWA or going to https://fqdn/rpc.

I'm looking through the links you guys gave, thanks.
0
Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

 

Author Comment

by:titan6400
ID: 18775484
I looked through all of those links and I've already tried all of those things (but I still double-checked.)

Thanks anyway.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775526
RPC over HTTPS is one of those features that either works or it doesn't.

Where I get servers where it doesn't work, I tend to remove the RPC Proxy service and then reinstall it. I then use my own registry settings, applying both the Exchange and domain controller settings to the same box. Using my own registry settings (amset.info) I have a 100% success rate.

Simon.
0
 

Author Comment

by:titan6400
ID: 18776294
OK well I did as you suggested and started from scratch and followed the amset.info instructions.

It seems to be working from machines on the LAN now (rpcdiag indicates connections via HTTPS only), but the same problem exists off the LAN.  I just get the popup to enter credentials, which it never accepts, and rpcdiag doesn't show anything being connected at all.

Do you need any ports beyond 443 to be open on the firewall?  Any other troubleshooting ideas?
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18776416
443 should be the only port needed.
0
 

Author Comment

by:titan6400
ID: 18776676
I'm playing with the rpcping util now.  From on the LAN, I tried running this command:

rpcping -t ncacn_http -s exchange.server.local -o RpcProxy=fqdn.tld -P "<user>,<domain>,*" -I "<user>,<domain>,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none

and got back:

RPCPinging proxy server fqdn.tld with Echo Request Packet
Sending ping to server
Response from server received: 401
Client is not authorized to ping RPC proxy
Ping failed.

I'm honestly not completely sure what to make of that, but if that helps anyone see what the problem is...
0
 
LVL 10

Assisted Solution

by:MATTHEW_L
MATTHEW_L earned 100 total points
ID: 18777881
Have you checked the authentication on the RPC virtual directory.  Make sure that basic authentication is checked.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
ID: 18778144
The common problem I see is where there is an authentication mismatch.

In IIS Manager, on the /rpc virtual directory, ensure that both integrated and basic authentication is enabled and anonymous is disabled.

In Outlook, if the machine is a member of the same domain as the Exchange server, use NTLM Authentication. If it is not, then use Basic Authentication.

Simon.
0
 

Author Comment

by:titan6400
ID: 18780502
Well, it was permissions, but not like you'd think.

The IP restrictions were set on that directory to deny anything outside the local subnet.  Why, I don't know, but that's what the problem was.

All is well now.

I accepted sembee with the majority of the points because before he suggested to reinstall, it wasn't working from inside or outside the network and MATTHEW L with an assist since he was also pointing towards a permissions problem.

Thanks, guys.
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18780532
Thanks very much.  Glad it is working.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question