Solved

RPC-over-HTTPS: Can't get past Outlook authentication popup.

Posted on 2007-03-22
12
1,013 Views
Last Modified: 2012-08-14
I have a single-server environment running Small Business Server 2003 Enterprise.

I'm trying to enable RPC-over-HTTPS for Outlook over the Internet.

I enabled the RPC proxy through the Server Management snap-in and then went through this (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm) guide to get everything properly configured.

I have a valid third-party SSL certificate with the correct FQDN, I am passing ports 80 and 443 through the (external) firewall, Outlook Web Access works just fine.

The problem that I am having is that when I try to connect with the Outlook client, I can't get past authentication.  I get a regular IE-style popup saying "Connecting to <servername.internaldomain.local>" and asking for the username and password.  I've tried every variation (username and pass, domain\username and pass, username@domain.local and pass) with no luck.  It just continues to ask for authentication.

When I run Outlook with the /rpcdiag switch, the only entry in the popup window is "Server name: servername; Type: Directory; Status: Connecting" with nothing else.

I can't get anywhere past this point.

I've tried it over the LAN and WAN with the same results, so I don't believe this is a firewall issue.

Thanks.
0
Comment
Question by:titan6400
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18774735
Is this a single Exchange server enviroment?

Have a look at this.
http://www.msexchange.org/tutorials/Implementing-RPC-over-HTTPS-single-Exchange-Server-2003-environment.html

Check the permissions on the RPC virtual directory in IIS
http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part2.html
0
 
LVL 11

Expert Comment

by:Zenith63
ID: 18774749
Is the certificate installed on the PC or trusted?  My understanding is you have to get this 100% or it will fail, with no real indication of why it's failing.  Try browsing to https://SERVER_FQDN and see if a certificate warning/accept prompt pops up, if it does you have a problem because Outlook can't do the "Click OK" that you do to get past this.

Sembee has some great articles on his site, specifically http://amset.info/exchange/rpc-http.asp, I'd recommend a look and see if you've maybe missed something.
0
 

Author Comment

by:titan6400
ID: 18775003
Yes, this is a single-server environment.

The cert is good and I get no cert warnings when going through OWA or going to https://fqdn/rpc.

I'm looking through the links you guys gave, thanks.
0
 

Author Comment

by:titan6400
ID: 18775484
I looked through all of those links and I've already tried all of those things (but I still double-checked.)

Thanks anyway.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775526
RPC over HTTPS is one of those features that either works or it doesn't.

Where I get servers where it doesn't work, I tend to remove the RPC Proxy service and then reinstall it. I then use my own registry settings, applying both the Exchange and domain controller settings to the same box. Using my own registry settings (amset.info) I have a 100% success rate.

Simon.
0
 

Author Comment

by:titan6400
ID: 18776294
OK well I did as you suggested and started from scratch and followed the amset.info instructions.

It seems to be working from machines on the LAN now (rpcdiag indicates connections via HTTPS only), but the same problem exists off the LAN.  I just get the popup to enter credentials, which it never accepts, and rpcdiag doesn't show anything being connected at all.

Do you need any ports beyond 443 to be open on the firewall?  Any other troubleshooting ideas?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18776416
443 should be the only port needed.
0
 

Author Comment

by:titan6400
ID: 18776676
I'm playing with the rpcping util now.  From on the LAN, I tried running this command:

rpcping -t ncacn_http -s exchange.server.local -o RpcProxy=fqdn.tld -P "<user>,<domain>,*" -I "<user>,<domain>,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none

and got back:

RPCPinging proxy server fqdn.tld with Echo Request Packet
Sending ping to server
Response from server received: 401
Client is not authorized to ping RPC proxy
Ping failed.

I'm honestly not completely sure what to make of that, but if that helps anyone see what the problem is...
0
 
LVL 10

Assisted Solution

by:MATTHEW_L
MATTHEW_L earned 100 total points
ID: 18777881
Have you checked the authentication on the RPC virtual directory.  Make sure that basic authentication is checked.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
ID: 18778144
The common problem I see is where there is an authentication mismatch.

In IIS Manager, on the /rpc virtual directory, ensure that both integrated and basic authentication is enabled and anonymous is disabled.

In Outlook, if the machine is a member of the same domain as the Exchange server, use NTLM Authentication. If it is not, then use Basic Authentication.

Simon.
0
 

Author Comment

by:titan6400
ID: 18780502
Well, it was permissions, but not like you'd think.

The IP restrictions were set on that directory to deny anything outside the local subnet.  Why, I don't know, but that's what the problem was.

All is well now.

I accepted sembee with the majority of the points because before he suggested to reinstall, it wasn't working from inside or outside the network and MATTHEW L with an assist since he was also pointing towards a permissions problem.

Thanks, guys.
0
 
LVL 10

Expert Comment

by:MATTHEW_L
ID: 18780532
Thanks very much.  Glad it is working.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now