RPC over HTTP - followed petri and amset, tried freessl - no luck
Dear Exchange Experts
I followed Petri's solution (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm) and also Amset's solution (http://www.amset.info/exchange/rpc-http.asp). I have double checked it several times and i cannot find the problem.
When I configure outlook to connect using RPC over HTTP I get to the login box, but it does not accept the login credentials and pops up again and again. When I press cancel it says that the connection to ms exchange server is unavaible and that the name cannot be resolved.
Is there a specific way that the name has to be written, i.e. domain\username or just username?
Outlook connects fine locally, but using HTTPS always TCP/IP
OWA works fine with my own CA - it does not report any problems with the certificate.
Have also tried a cert form freessl and OWA also works fine using this cert.
If I try to acces RPC folder by typing https://mail.domain.com/rpc it reports "HTTP Error 404 - File or directory not found."
This website has been created from exchange system manager.
If I instead type https://servername.domain.com/rpc it reports after typing password 3 times "HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource."
Regarding port forwarding in my router: 80 and 443 are routed to my server. And recently I saw that the ports for global catalog server 6000-6004 also should be opened and I did so without any luck. But I am not sure about this. Any comments?
Hoping for some help
Regards Anker74
I followed Petri's solution (http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm) and also Amset's solution (http://www.amset.info/exchange/rpc-http.asp). I have double checked it several times and i cannot find the problem.
When I configure outlook to connect using RPC over HTTP I get to the login box, but it does not accept the login credentials and pops up again and again. When I press cancel it says that the connection to ms exchange server is unavaible and that the name cannot be resolved.
Is there a specific way that the name has to be written, i.e. domain\username or just username?
Outlook connects fine locally, but using HTTPS always TCP/IP
OWA works fine with my own CA - it does not report any problems with the certificate.
Have also tried a cert form freessl and OWA also works fine using this cert.
If I try to acces RPC folder by typing https://mail.domain.com/rpc it reports "HTTP Error 404 - File or directory not found."
This website has been created from exchange system manager.
If I instead type https://servername.domain.com/rpc it reports after typing password 3 times "HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource."
Regarding port forwarding in my router: 80 and 443 are routed to my server. And recently I saw that the ports for global catalog server 6000-6004 also should be opened and I did so without any luck. But I am not sure about this. Any comments?
Hoping for some help
Regards Anker74
LeeDerbyshire
Access denied due to ACL means that the user does not have have sufficient NTFS permissions in the directory specified as the source for IIS. In IIS Manager, you should see the Virtual Directory named rpc. If you look at the properties, what location is specified for its home directory? I only have E2007 now, so I can't physically check this value for E2003 any more.
ASKER
The NTFS persmissions for
rpcproxy is:
Administrators - Full
Authenticated Users - Read, Read & Execute, List folder contens
Creator Owner - special permission
Server Operators - modify, read, write..
SYSTEM - full
rpcproxy.dll is:
Administrators - full
Everyone - read, read & execute
SYSTEM - full
Users - read, read & execute
rpcproxy is:
Administrators - Full
Authenticated Users - Read, Read & Execute, List folder contens
Creator Owner - special permission
Server Operators - modify, read, write..
SYSTEM - full
rpcproxy.dll is:
Administrators - full
Everyone - read, read & execute
SYSTEM - full
Users - read, read & execute
Well, they seem to be fairly relaxed. Still, the 401.3 error is still being generated by something. You will need to look in your IIS log file to see exactly which file request is returning that 401.3 . Note that the times in the IIS log files are in GMT. Paste us the relevant lines if you can find them.
ASKER
I looked in C:\WINDOWS\system32\LogFil
This is what is closest to the time I tried to get access to RPC.
2008-02-06 14:06:47 192.168.1.20 GET /rpc - 443 - 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:51 192.168.1.20 GET /rpc - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:51 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:53 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:55 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
This is what is closest to the time I tried to get access to RPC.
2008-02-06 14:06:47 192.168.1.20 GET /rpc - 443 - 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:51 192.168.1.20 GET /rpc - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:51 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:53 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:55 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
Okay, well the first failure is the line below. It indicates that IIS has accepted the logon name 'anker', but that this account does not have NTFS Read and Execute permissions on the folder that /rpc gets its content from (you can see the 401 3 near the end). But I assume that this doesn't agree with what you've already checked in Explorer?
2008-02-06 14:06:51 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
2008-02-06 14:06:51 192.168.1.20 GET /rpc/ - 443 anker 130.226.107.5 Mozilla/4.0+(compatible;+M
ASKER
I do not understand this
"But I assume that this doesn't agree with what you've already checked in Explorer?"
"But I assume that this doesn't agree with what you've already checked in Explorer?"
I was referring to the NTFS permissions you checked and posted earlier. Since IIS has accepted and recorded an account name, it will impersonate this account to access the resources it needs from the disk drive. The named account (I guess it is you) is certain to be in the Authenticated Users and Everyone groups, which you have already verified to have the required Read and Execute rights. This seems to contradict the ACL error reported by IIS, unless rpcproxy.dll in turn accesses something else with tighter permissions. Is the account you are using an Admin account?
ASKER
Yes the account is me and I am a member of the administrators group.
Hmm. That is confusing. This is the best article I know of for diagnosing IIS 401 errors:
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx
I don't think it adds much to what we've tried, but the filemon suggestion is interesting.
http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx
I don't think it adds much to what we've tried, but the filemon suggestion is interesting.
ASKER
I tried the filmon and I extrated this information out of it.
It seem that it cannot find theese files:
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
And then it goes to the error page
C:\WINDOWS\help\iisHelp\co
Komplete list:
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 CLOSE C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 CLOSE C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 READ C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 CLOSE C:\WINDOWS\help\iisHelp\co
It seem that it cannot find theese files:
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
C:\WINDOWS\System32\RpcPro
And then it goes to the error page
C:\WINDOWS\help\iisHelp\co
Komplete list:
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 CLOSE C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 CLOSE C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\System32\RpcPro
w3wp.exe:7332 OPEN C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 QUERY INFORMATION C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 READ C:\WINDOWS\help\iisHelp\co
w3wp.exe:7332 CLOSE C:\WINDOWS\help\iisHelp\co
Those 'not found' files aren't really significant, it's just IIS looking for the list of default documents configured on the rpc VDir. Interesting that it doesn't even look for the dll, though. It might help if you add rpcproxy.dll to the list of default documents configured for the rpc VDir in IIS Manager.
Oh, wait. This
http://technet.microsoft.com/en-us/library/bb124175(EXCHG.65).aspx
says that a 401;3 is normal.
There are lots of promising rpcproxy.dll troubleshooting links here:
http://technet.microsoft.com/en-us/library/aa996644(EXCHG.65).aspx
http://technet.microsoft.com/en-us/library/bb124175(EXCHG.65).aspx
says that a 401;3 is normal.
There are lots of promising rpcproxy.dll troubleshooting links here:
http://technet.microsoft.com/en-us/library/aa996644(EXCHG.65).aspx
ASKER
I have tried the links you sent me but everything seems ok. But it does not work.
I tried the RPCdump tool - it gives at lot of information, which I do not understand - This was the fist sectio. It says NOT_PINGED. Is that okey?
Querying Endpoint Mapper Database...
246 registered endpoints found.
ProtSeq:ncacn_http
Endpoint:6004
NetOpt:
Annotation:IPSec Policy agent endpoint
IsListening:NOT_PINGED
StringBinding:ncacn_http:192.168.1.20[6004]
UUID:12345678-1234-abcd-ef
ComTimeOutValue:RPC_C_BIND
VersMajor 1 VersMinor 0
There are other things I am beginning to suspect:
1. Is wildcard certs okey? It work fine for OWA. I know that Windows Mobile 5 does not accept this.
2. Should the router port foward other ports than 80 and 443? How about 6000-6004?
3. Is there a specific way one should write the login credentials? domain\usename or just username. It is a one server box that is both a DC and exchange server and locally it uses the .local suffiks which of course is not used on the internet.
I tried the RPCdump tool - it gives at lot of information, which I do not understand - This was the fist sectio. It says NOT_PINGED. Is that okey?
Querying Endpoint Mapper Database...
246 registered endpoints found.
ProtSeq:ncacn_http
Endpoint:6004
NetOpt:
Annotation:IPSec Policy agent endpoint
IsListening:NOT_PINGED
StringBinding:ncacn_http:192.168.1.20[6004]
UUID:12345678-1234-abcd-ef
ComTimeOutValue:RPC_C_BIND
VersMajor 1 VersMinor 0
There are other things I am beginning to suspect:
1. Is wildcard certs okey? It work fine for OWA. I know that Windows Mobile 5 does not accept this.
2. Should the router port foward other ports than 80 and 443? How about 6000-6004?
3. Is there a specific way one should write the login credentials? domain\usename or just username. It is a one server box that is both a DC and exchange server and locally it uses the .local suffiks which of course is not used on the internet.
I've never tried rpcdump - I expect it is showing you how the endpoint mapper is configured, but the NOT_PINGED message is saying that it did not actually try to connect to it. I would try using
netstat -a
and make sure that ports 6000-6004 are displayed as LISTENING.
This:
http://redmondmag.com/columns/print.asp?EditorialsID=1178
suggests that wildcard certs can't be used with RPC/HTTPS.
netstat -a
and make sure that ports 6000-6004 are displayed as LISTENING.
This:
http://redmondmag.com/columns/print.asp?EditorialsID=1178
suggests that wildcard certs can't be used with RPC/HTTPS.
ASKER
Hi LeeDerbyshire.
Thank you for your help and the hint on wildcard cert. The strange thing is that i also tried a cert from freessl and that did not work either.
It must be me that missed something when trying the freessl cert.
Anyway I have decided to reinstall my SBS server and try again. The RAID controller on the motherboard is unstable - the server freezes once a while. So I have ordered the adaptec RAID 3805 and is going to use a RAID1 for the system and RAID6 for the storage.
When the server is installed, the first thing I am going to try is the outlook over the internet with an official 3.party cert. This has to work.
Can I leave this question open or should I close it and hope that I don't have to open another :-)
Regards Anker74
Thank you for your help and the hint on wildcard cert. The strange thing is that i also tried a cert from freessl and that did not work either.
It must be me that missed something when trying the freessl cert.
Anyway I have decided to reinstall my SBS server and try again. The RAID controller on the motherboard is unstable - the server freezes once a while. So I have ordered the adaptec RAID 3805 and is going to use a RAID1 for the system and RAID6 for the storage.
When the server is installed, the first thing I am going to try is the outlook over the internet with an official 3.party cert. This has to work.
Can I leave this question open or should I close it and hope that I don't have to open another :-)
Regards Anker74
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.