Solved

RPC over HTTPS Question

Posted on 2007-11-15
13
960 Views
Last Modified: 2008-02-01
I'm having a problem setting up RPC over HTTPS for a client.  Here's the rundown:

Windows Server Ent. Edition 2003 SP2 - single server environment.
Exchange 2003 SP2
CA Trusted from GoDaddy
Client using Outlook 2007

I have uninstalled and reinstalled the RPC proxy.  I have applied a CA from GoDaddy and tested it.  I have used rpccfg to check the proxy ports.  I have tested internally and externally, and it continues to fail to connect.  I have used rpcdiag to test it.

I have checked the IIS VD's and they are as follows:

Default Web Site - Requires SSL, Anonymous only checked
Exadmin - SSL not required, Integrated and Basic checked.  Default domain is domain.local
Exchange - Requires SSL, Integrated and Basic checked.  Default domain is domain.local
ExchWeb - Requires SSL, Anonymous, Integrated, and Basic checked.  Default domain is domain.local
Public - Requires SSL, Integrated and Basic checked.  Default domain is domain.local
RPC - Requires SSL, Integrated and Basic checked.  Default domain is domain.local

I have browsed from outside the network to https://mail.domain.com/rpc and gotten the 401.3 error, which is expected.  Rpcdiag shows the server name and Directory attempting to connect, then it fails.  The cert is the same as the external domain name.  The ncan registry entry is visible.  The RPC tab in ESM shows "Not part of an Exchange managed RPC topology".  Port 443 is forwarded properly as well.

I'm stumped.
0
Comment
Question by:Michael S
  • 6
  • 5
  • 2
13 Comments
 
LVL 5

Expert Comment

by:JohnDemerjian
ID: 20291637
I used these guidelines with success the first time through on a single server.  Double check your work against these instructions.  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20294366
There are basically three areas that this feature fails on

- SSL certificate
- authentication
- registry

It seems that you have tested the first two, so it has to be the third. Daniel and I differ on what registry settings are required. My version is here: http://www.amset.info/exchange/rpc-http.asp

Simon.
0
 
LVL 6

Author Comment

by:Michael S
ID: 20298592
Yes, I typically only follow Sembee's instructions, and have never had any issues until now.  I double checked those registry settings using rpccfg and they seem okay.  I used only the single server settings - should I attempt to add the 593 ports as well just in case?
0
 
LVL 5

Expert Comment

by:JohnDemerjian
ID: 20300518
jay dale

while i am no sembee, i'll offer what i can.  since you did reinstall the rpc proxy, this might be relevant - http://www.petri.co.il/rpc_over_http_error_4013_after_windows_2003_sp1.htm

here is a good troubleshooting article http://www.petri.co.il/testing_rpc_over_http_connection.htm

nothing at all relevant in the event viewer?


0
 
LVL 104

Expert Comment

by:Sembee
ID: 20300758
RPC over HTTPS either works or it doesn't. Leaves nothing in the event viewer. You can go around and around for ages. I usually end up removing the RPC Proxy, then the virtual directories in IIS Manager. After doing that run iisreset to write the change to the IIS metabase and reinstall the proxy and do the registry settings fresh.

Simon.
0
 
LVL 6

Author Comment

by:Michael S
ID: 20421665
Okay, I worked with it a bit, but now when I run rpcdiag, it connects and downloads mail, but the Directory settings show as Disconnected while the Mail settings show as HTTPS.  Is that registry or Offline address book settings?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 104

Expert Comment

by:Sembee
ID: 20423074
Directory usually means you either haven't made the domain controller registry change or are not pointing the registry settings on the server to a valid domain controller. It needs to be a Windows 2003 DC/GC.

Simon.
0
 
LVL 6

Author Comment

by:Michael S
ID: 20423270
This is my current registry setting:

server:100-5000;server.domain.local:6001-6002;server:6001-6002;
server:6004;server.domain.local:6004;mail.externalcom:6001-6002;
mail.external.com:6004;server:593;server.domain.local:593;mail.external.com:593

All one line, of course.  Rpccfg /hd shows no errors or alignment problems.

I have reset the IIS directories and cleaned up the metadata, removed and readded the RPCProxy, and reconfigured the registry entries.  Still no luck.

Interestingly enough, I actually open the mailbox with Outlook and it sends/receives mail, but the rpcdiag still shows Directory as disconnected and the Mail as HTTPS.
0
 
LVL 6

Author Comment

by:Michael S
ID: 20423297
Also interestingly enough, I set up the Outlook properties to use NTLM, but the PC I'm testing from is not a domain member and it is not prompting for any kind of login.  Could this be the issue?
0
 
LVL 6

Author Comment

by:Michael S
ID: 20423320
Ok, after changing it to Basic Authentication, I get a login prompt, enter in the credentials, and the Directory settings show up as Connected now.

I thought that setting it up as NTLM, it would check to see if the computer was a domain member and if not, would then revert to Basic Auth.  Is this not right?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20426734
If the machine is not a member of the domain then you cannot use NTLM/Integrated authentication. Pass through authentication has worked for Exchange, but not for the domain because it is not the domain credentials. For non domain members you must use basic.

Simon.
0
 
LVL 6

Author Comment

by:Michael S
ID: 20427387
I understand what NTLM is, however in the past I have been able to choose NTLM as a standard, and when the computer is not a domain member it would then use to Basic Auth.  That's why this particular case is giving me an issue.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20427984
I don't know what you have done in the past, but there is no fail back in Outlook.
If you have set Outlook RPC over HTTPS settings to use NTLM then it will try and use that, if it fails to do so then you will have problems.
The simple fact is that while you may have got away with NTLM on a non domain member, that doesn't mean it was the right way of working. Non domain members should use basic authentication because they are not part of the domain and are unable to communicate with domain controllers.

Simon.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
how to add IIS SMTP to handle application/Scanner relays into office 365.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now