RPC over HTTP - followed petri and amset, tried freessl - no luck

Dear Exchange Experts

I followed Petri's solution (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm) and also Amset's solution (http://www.amset.info/exchange/rpc-http.asp). I have double checked it several times and i cannot find the problem.

When I configure outlook to connect using RPC over HTTP I get to the login box, but it does not accept the login credentials and pops up again and again. When I press cancel it says that the connection to ms exchange server is unavaible and that the name cannot be resolved.
Is there a specific way that the name has to be written, i.e. domain\username or just username?
Outlook connects fine locally, but using HTTPS always TCP/IP

OWA works fine with my own CA - it does not report any problems with the certificate.
Have also tried a cert form freessl and OWA also works fine using this cert.

If I try to acces RPC folder by typing https://mail.domain.com/rpc it reports  "HTTP Error 404 - File or directory not found."
This website has been created from exchange system manager.

If I instead type https://servername.domain.com/rpc it reports after typing password 3 times "HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource."

Regarding port forwarding in my router: 80 and 443 are routed to my server. And recently I saw that the ports for global catalog server 6000-6004 also should be opened and I did so without any luck. But I am not sure about this. Any comments?

Hoping for some help
Regards Anker74
Anker74Asked:
Who is Participating?
 
LeeDerbyshireConnect With a Mentor Commented:
If you have more problems, I think it would better to open a new question, since it will then be higher up the list.
0
 
LeeDerbyshireCommented:
Access denied due to ACL means that the user does not have have sufficient NTFS permissions in the directory specified as the source for IIS.  In IIS Manager, you should see the Virtual Directory named rpc.  If you look at the properties, what location is specified for its home directory?  I only have E2007 now, so I can't physically check this value for E2003 any more.
0
 
Anker74Author Commented:
The NTFS persmissions for

rpcproxy is:
Administrators - Full
Authenticated Users - Read, Read & Execute, List folder contens
Creator Owner - special permission
Server Operators - modify, read, write..
SYSTEM - full

rpcproxy.dll is:
Administrators - full
Everyone - read, read & execute
SYSTEM - full
Users - read, read & execute
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LeeDerbyshireCommented:
Well, they seem to be fairly relaxed.  Still, the 401.3 error is still being generated by something.  You will need to look in your IIS log file to see exactly which file request is returning that 401.3 .  Note that the times in the IIS log files are in GMT.  Paste us the relevant lines if you can find them.
0
 
Anker74Author Commented:
I looked in C:\WINDOWS\system32\LogFiles\W3SVC1 and selected the log latest changed log file.
This is what is closest to the time I tried to get access to RPC.

2008-02-06 14:06:47 192.168.1.20 GET /rpc - 443 - 130.226.107.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 2 2148074254
2008-02-06 14:06:51 192.168.1.20 GET /rpc - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 301 0 0
2008-02-06 14:06:51 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 3 5
2008-02-06 14:06:53 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 3 5
2008-02-06 14:06:55 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 3 5
0
 
LeeDerbyshireCommented:
Okay, well the first failure is the line below.  It indicates that IIS has accepted the logon name 'anker', but that this account does not have NTFS Read and Execute permissions on the folder that /rpc gets its content from (you can see the 401 3 near the end).  But I assume that this doesn't agree with what you've already checked in Explorer?

2008-02-06 14:06:51 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+InfoPath.2) 401 3 5
0
 
Anker74Author Commented:
I do not understand this
    "But I assume that this doesn't agree with what you've already checked in Explorer?"

0
 
LeeDerbyshireCommented:
I was referring to the NTFS permissions you checked and posted earlier.  Since IIS has accepted and recorded an account name, it will impersonate this account to access the resources it needs from the disk drive.  The named account (I guess it is you) is certain to be in the Authenticated Users and Everyone groups, which you have already verified to have the required Read and Execute rights.  This seems to contradict the ACL error reported by IIS, unless rpcproxy.dll in turn accesses something else with tighter permissions.  Is the account you are using an Admin account?
0
 
Anker74Author Commented:
Yes the account is me and I am a member of the administrators group.
0
 
LeeDerbyshireCommented:
Hmm.  That is confusing.  This is the best article I know of for diagnosing IIS 401 errors:

http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

I don't think it adds much to what we've tried, but the filemon suggestion is interesting.
0
 
Anker74Author Commented:
I tried the filmon and I extrated this information out of it.
It seem that it cannot find theese files:

C:\WINDOWS\System32\RpcProxy\Default.htm      NOT FOUND      Options: Open  Access: Read
C:\WINDOWS\System32\RpcProxy\Default.asp      NOT FOUND      Options: Open  Access: Read
C:\WINDOWS\System32\RpcProxy\index.htm      NOT FOUND      Options: Open  Access: Read
C:\WINDOWS\System32\RpcProxy\iisstart.htm      NOT FOUND      Options: Open  Access: Read
C:\WINDOWS\System32\RpcProxy\Default.aspx      NOT FOUND      Options: Open  Access: Read

And then it goes to the error page
C:\WINDOWS\help\iisHelp\common\401-3.htm      SUCCESS      Options: Open  Access: Read


Komplete list:
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy      SUCCESS      Options: Open  Access: Read
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\System32\RpcProxy      BUFFER OVERFLOW      FileFsVolumeInformation
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\System32\RpcProxy      BUFFER OVERFLOW      FileAllInformation
w3wp.exe:7332      CLOSE      C:\WINDOWS\System32\RpcProxy      SUCCESS      
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy\      SUCCESS      Options: Open  Access: Read
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\System32\RpcProxy\      BUFFER OVERFLOW      FileFsVolumeInformation
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\System32\RpcProxy\      BUFFER OVERFLOW      FileAllInformation
w3wp.exe:7332      CLOSE      C:\WINDOWS\System32\RpcProxy\      SUCCESS      
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy\Default.htm      NOT FOUND      Options: Open  Access: Read
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy\Default.asp      NOT FOUND      Options: Open  Access: Read
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy\index.htm      NOT FOUND      Options: Open  Access: Read
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy\iisstart.htm      NOT FOUND      Options: Open  Access: Read
w3wp.exe:7332      OPEN      C:\WINDOWS\System32\RpcProxy\Default.aspx      NOT FOUND      Options: Open  Access: Read
w3wp.exe:7332      OPEN      C:\WINDOWS\help\iisHelp\common\401-3.htm      SUCCESS      Options: Open  Access: Read
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\help\iisHelp\common\401-3.htm      BUFFER OVERFLOW      FileFsVolumeInformation
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\help\iisHelp\common\401-3.htm      BUFFER OVERFLOW      FileAllInformation
w3wp.exe:7332      QUERY INFORMATION      C:\WINDOWS\help\iisHelp\common\401-3.htm      SUCCESS      Length: 1608
w3wp.exe:7332      READ       C:\WINDOWS\help\iisHelp\common\401-3.htm      SUCCESS      Offset: 0 Length: 1608
w3wp.exe:7332      CLOSE      C:\WINDOWS\help\iisHelp\common\401-3.htm      SUCCESS      
0
 
LeeDerbyshireCommented:
Those 'not found' files aren't really significant, it's just IIS looking for the list of default documents configured on the rpc VDir.  Interesting that it doesn't even look for the dll, though.  It might help if you add rpcproxy.dll to the list of default documents configured for the rpc VDir in IIS Manager.
0
 
LeeDerbyshireCommented:
Oh, wait.  This
http://technet.microsoft.com/en-us/library/bb124175(EXCHG.65).aspx
says that a 401;3 is normal.
There are lots of promising rpcproxy.dll troubleshooting links here:
http://technet.microsoft.com/en-us/library/aa996644(EXCHG.65).aspx
0
 
Anker74Author Commented:
I have tried the links you sent me but everything seems ok. But it does not work.
I tried the RPCdump tool - it gives at lot of information, which I do not understand - This was the fist sectio. It says NOT_PINGED. Is that okey?

Querying Endpoint Mapper Database...
246 registered endpoints found.
ProtSeq:ncacn_http
Endpoint:6004
NetOpt:
Annotation:IPSec Policy agent endpoint
IsListening:NOT_PINGED
StringBinding:ncacn_http:192.168.1.20[6004]
UUID:12345678-1234-abcd-ef00-0123456789ab
ComTimeOutValue:RPC_C_BINDING_MIN_TIMEOUT
VersMajor 1  VersMinor 0


There are other things I am beginning to suspect:
1. Is wildcard certs okey? It work fine for OWA. I know that Windows Mobile 5 does not accept this.
2. Should the router port foward other ports than 80 and 443? How about 6000-6004?
3. Is there a specific way one should write the login credentials? domain\usename or just username. It is a one server box that is both a DC and exchange server and locally it uses the .local suffiks which of course is not used on the internet.
0
 
LeeDerbyshireCommented:
I've never tried rpcdump - I expect it is showing you how the endpoint mapper is configured, but the NOT_PINGED message is saying that it did not actually try to connect to it.  I would try using
  netstat -a
and make sure that ports 6000-6004 are displayed as LISTENING.

This:

http://redmondmag.com/columns/print.asp?EditorialsID=1178

suggests that wildcard certs can't be used with RPC/HTTPS.
0
 
Anker74Author Commented:
Hi LeeDerbyshire.
Thank you for your help and the hint on wildcard cert. The strange thing is that i also tried a cert from freessl and that did not work either.
It must be me that missed something when trying the freessl cert.
Anyway I have decided to reinstall my SBS server and try again. The RAID controller on the motherboard is unstable - the server freezes once a while. So I have ordered the adaptec RAID 3805 and is going to use a RAID1 for the system and RAID6 for the storage.
When the server is installed, the first thing I am going to try is the outlook over the internet with an official 3.party cert. This has to work.

Can I leave this question open or should I close it and hope that I don't have to open another :-)
Regards Anker74
0
All Courses

From novice to tech pro — start learning today.