• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 972
  • Last Modified:

RPC over HTTPS Question

I'm having a problem setting up RPC over HTTPS for a client.  Here's the rundown:

Windows Server Ent. Edition 2003 SP2 - single server environment.
Exchange 2003 SP2
CA Trusted from GoDaddy
Client using Outlook 2007

I have uninstalled and reinstalled the RPC proxy.  I have applied a CA from GoDaddy and tested it.  I have used rpccfg to check the proxy ports.  I have tested internally and externally, and it continues to fail to connect.  I have used rpcdiag to test it.

I have checked the IIS VD's and they are as follows:

Default Web Site - Requires SSL, Anonymous only checked
Exadmin - SSL not required, Integrated and Basic checked.  Default domain is domain.local
Exchange - Requires SSL, Integrated and Basic checked.  Default domain is domain.local
ExchWeb - Requires SSL, Anonymous, Integrated, and Basic checked.  Default domain is domain.local
Public - Requires SSL, Integrated and Basic checked.  Default domain is domain.local
RPC - Requires SSL, Integrated and Basic checked.  Default domain is domain.local

I have browsed from outside the network to https://mail.domain.com/rpc and gotten the 401.3 error, which is expected.  Rpcdiag shows the server name and Directory attempting to connect, then it fails.  The cert is the same as the external domain name.  The ncan registry entry is visible.  The RPC tab in ESM shows "Not part of an Exchange managed RPC topology".  Port 443 is forwarded properly as well.

I'm stumped.
0
Michael S
Asked:
Michael S
  • 6
  • 5
  • 2
1 Solution
 
JohnDemerjianCommented:
I used these guidelines with success the first time through on a single server.  Double check your work against these instructions.  http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm
0
 
SembeeCommented:
There are basically three areas that this feature fails on

- SSL certificate
- authentication
- registry

It seems that you have tested the first two, so it has to be the third. Daniel and I differ on what registry settings are required. My version is here: http://www.amset.info/exchange/rpc-http.asp

Simon.
0
 
Michael SAuthor Commented:
Yes, I typically only follow Sembee's instructions, and have never had any issues until now.  I double checked those registry settings using rpccfg and they seem okay.  I used only the single server settings - should I attempt to add the 593 ports as well just in case?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
JohnDemerjianCommented:
jay dale

while i am no sembee, i'll offer what i can.  since you did reinstall the rpc proxy, this might be relevant - http://www.petri.co.il/rpc_over_http_error_4013_after_windows_2003_sp1.htm 

here is a good troubleshooting article http://www.petri.co.il/testing_rpc_over_http_connection.htm

nothing at all relevant in the event viewer?


0
 
SembeeCommented:
RPC over HTTPS either works or it doesn't. Leaves nothing in the event viewer. You can go around and around for ages. I usually end up removing the RPC Proxy, then the virtual directories in IIS Manager. After doing that run iisreset to write the change to the IIS metabase and reinstall the proxy and do the registry settings fresh.

Simon.
0
 
Michael SAuthor Commented:
Okay, I worked with it a bit, but now when I run rpcdiag, it connects and downloads mail, but the Directory settings show as Disconnected while the Mail settings show as HTTPS.  Is that registry or Offline address book settings?
0
 
SembeeCommented:
Directory usually means you either haven't made the domain controller registry change or are not pointing the registry settings on the server to a valid domain controller. It needs to be a Windows 2003 DC/GC.

Simon.
0
 
Michael SAuthor Commented:
This is my current registry setting:

server:100-5000;server.domain.local:6001-6002;server:6001-6002;
server:6004;server.domain.local:6004;mail.externalcom:6001-6002;
mail.external.com:6004;server:593;server.domain.local:593;mail.external.com:593

All one line, of course.  Rpccfg /hd shows no errors or alignment problems.

I have reset the IIS directories and cleaned up the metadata, removed and readded the RPCProxy, and reconfigured the registry entries.  Still no luck.

Interestingly enough, I actually open the mailbox with Outlook and it sends/receives mail, but the rpcdiag still shows Directory as disconnected and the Mail as HTTPS.
0
 
Michael SAuthor Commented:
Also interestingly enough, I set up the Outlook properties to use NTLM, but the PC I'm testing from is not a domain member and it is not prompting for any kind of login.  Could this be the issue?
0
 
Michael SAuthor Commented:
Ok, after changing it to Basic Authentication, I get a login prompt, enter in the credentials, and the Directory settings show up as Connected now.

I thought that setting it up as NTLM, it would check to see if the computer was a domain member and if not, would then revert to Basic Auth.  Is this not right?
0
 
SembeeCommented:
If the machine is not a member of the domain then you cannot use NTLM/Integrated authentication. Pass through authentication has worked for Exchange, but not for the domain because it is not the domain credentials. For non domain members you must use basic.

Simon.
0
 
Michael SAuthor Commented:
I understand what NTLM is, however in the past I have been able to choose NTLM as a standard, and when the computer is not a domain member it would then use to Basic Auth.  That's why this particular case is giving me an issue.
0
 
SembeeCommented:
I don't know what you have done in the past, but there is no fail back in Outlook.
If you have set Outlook RPC over HTTPS settings to use NTLM then it will try and use that, if it fails to do so then you will have problems.
The simple fact is that while you may have got away with NTLM on a non domain member, that doesn't mean it was the right way of working. Non domain members should use basic authentication because they are not part of the domain and are unable to communicate with domain controllers.

Simon.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now