Patrick
asked on
RPC over HTTPS keeps prompting for password
I am going crazy. I know I've set up the RPC over HTTPS correctly, but it keeps prompting me for username and password.
One server, modified the registry keys, followed instructions I believe to a T. From what I read, it maaay be an authentication issue with IIS and everything under the Default Website?
If so, this is what I got:
CertControl
CertEntroll
CertSrv
Exadmin
Exchange
ExchWeb
Microsoft-Serv
OMA
Public
Rpc
RpcWithCert
aspnet_client
I can connect to the https://server.domain.com/exchange and http://server.domain.com/exchange.
I have a cert with GoDaddy, properlly installed.
What am I doing wrong?
One server, modified the registry keys, followed instructions I believe to a T. From what I read, it maaay be an authentication issue with IIS and everything under the Default Website?
If so, this is what I got:
CertControl
CertEntroll
CertSrv
Exadmin
Exchange
ExchWeb
Microsoft-Serv
OMA
Public
Rpc
RpcWithCert
aspnet_client
I can connect to the https://server.domain.com/exchange and http://server.domain.com/exchange.
I have a cert with GoDaddy, properlly installed.
What am I doing wrong?
Is the computer a domain member, and are you using NTLM in outlook?
Hello pstiffsae,
(I assume you have an sbs 2003 server?)
Follow the SBS guide on this site:
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way "
No need to modify anything, place everything back the way it was.
Regards,
suppsaws
(I assume you have an sbs 2003 server?)
Follow the SBS guide on this site:
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way "
No need to modify anything, place everything back the way it was.
Regards,
suppsaws
This is a very common issue. trying using yourname@youdomain.com in user field.
this links can be helpuful for you to correct the problem.
http://www.amset.info/exchange/rpc-http.asp
https://www.experts-exchange.com/questions/22417240/RPC-over-HTTP-Authentication-Problems.html?sfQueryTermInfo=1+authent+http+over+rpc
https://www.experts-exchange.com/questions/22417240/RPC-over-HTTP-Authentication-Problems.html?sfQueryTermInfo=1+authent+http+over+rpc
this links can be helpuful for you to correct the problem.
http://www.amset.info/exchange/rpc-http.asp
https://www.experts-exchange.com/questions/22417240/RPC-over-HTTP-Authentication-Problems.html?sfQueryTermInfo=1+authent+http+over+rpc
https://www.experts-exchange.com/questions/22417240/RPC-over-HTTP-Authentication-Problems.html?sfQueryTermInfo=1+authent+http+over+rpc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
a) It's not on the domain, it's my personal laptop
b) I've tried domain\username, domain/username, username@domain.com, all of those, nothing.
c) we're not using NTLM
d) I've reviewed those two links from other EE questons and they do not help.
What am I doing wrong?
b) I've tried domain\username, domain/username, username@domain.com, all of those, nothing.
c) we're not using NTLM
d) I've reviewed those two links from other EE questons and they do not help.
What am I doing wrong?
If it isn't on the domain, and you are not using NTLM, then you will always be prompted.
I believe that even if you enable NTLM, it will prompt you, but you should be able to get it to remember the password.
I believe that even if you enable NTLM, it will prompt you, but you should be able to get it to remember the password.
ASKER
I dont' mind being prompted, but it's not connecting. It's continually askin gfor the username and password.
Are you trying this internally?
What are the permissions that are set on the RPC directory?
What are the permissions that are set on the RPC directory?
ASKER
Trying externally. Completely off the network. No VPN.
Permssions:
Admin (Server/Admin) FULL
Authenticated User Read, List, Read and Execute
CREATEOR OWNER - nothing
Server operators (Server/operators) Full
System Full
Permssions:
Admin (Server/Admin) FULL
Authenticated User Read, List, Read and Execute
CREATEOR OWNER - nothing
Server operators (Server/operators) Full
System Full
Where are you getting those permissions?
I mean directory security in IIS, not file permissions on c:\inetpub
I mean directory security in IIS, not file permissions on c:\inetpub
ASKER
Default Website: Intergrated Windows only
Beneath DW
CertControl: Integrated Windows Only
CertEntroll: Intergrated Windows Only
CertSrv: Intergrated Windows Only
Exadmin: Intergrated Windows Only
Exchange: : Intergrated Windows Only
ExchWeb: : Intergrated Windows Only
Microsoft-Serv: Intergrated Windows Only
OMA: Intergrated Windows Only
Public: Intergrated Windows Only
Rpc: Basic, Default Domain (our domain)
RpcWithCert: Basic, Default Domain (our domain)
aspnet_client: Intergrated Windows Only
Beneath DW
CertControl: Integrated Windows Only
CertEntroll: Intergrated Windows Only
CertSrv: Intergrated Windows Only
Exadmin: Intergrated Windows Only
Exchange: : Intergrated Windows Only
ExchWeb: : Intergrated Windows Only
Microsoft-Serv: Intergrated Windows Only
OMA: Intergrated Windows Only
Public: Intergrated Windows Only
Rpc: Basic, Default Domain (our domain)
RpcWithCert: Basic, Default Domain (our domain)
aspnet_client: Intergrated Windows Only
As I already said, stay off the permissions, and also stay off the NTLM.
There is no need to change a thing on SBS to make rpc working.
Have you already read the page at
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way " ???
the tutorial is already on your RWW page, so just follow that one.
When you can't connect it's 99% chance that it's a typo.
recheck all the things you filled in.
btw, is you cert correct (external FQDN): eg mail.mydomain.com, if not, rerun the connect to the internet wizard.
There is no need to change a thing on SBS to make rpc working.
Have you already read the page at
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way " ???
the tutorial is already on your RWW page, so just follow that one.
When you can't connect it's 99% chance that it's a typo.
recheck all the things you filled in.
btw, is you cert correct (external FQDN): eg mail.mydomain.com, if not, rerun the connect to the internet wizard.
the exchange IIS folder needs to have Basic authentication ticked...
Integrated isnt going to work because the laptop isnt plugged into the domain!
you willl also want the ExchWeb folder doing the same...
Cheers
Integrated isnt going to work because the laptop isnt plugged into the domain!
you willl also want the ExchWeb folder doing the same...
Cheers
the exchange folder needs to have basic auth tocked, but the Exweb only need anonymous auth ticked.
But as I said, there is no need to change the permissions, they should be fine by default.
But as I said, there is no need to change the permissions, they should be fine by default.
>>But as I said, there is no need to change the permissions, they should be fine by default.
Clearly, they aren't
Clearly, they aren't
that is probably because there was already some messing around with the permissions ... :p
Right, which now defuncts your whole argument of "you shouldn't have to touch anything"
Either the wizards have not been run at all, or some manual configuration has taken place.
At this stage, it is safe to say that the IIS permissions are a mess, and need to be reconfigured - if you want to convince the asker that he needs a reinstall instead, be my guest.
Either the wizards have not been run at all, or some manual configuration has taken place.
At this stage, it is safe to say that the IIS permissions are a mess, and need to be reconfigured - if you want to convince the asker that he needs a reinstall instead, be my guest.
ASKER
Woah, woah woah. Permission were NOT messed with.
'What are the permissions that are set on the RPC directory?'
I answered. He meant Directory Security, which has asked when I specifically told him what the permssions were for the RPC virtual directory.
And by the way, my question was answered. My original question: 'From what I read, it may be an authentication issue with IIS and everything under the Default Website?' It was, Exchange had Intergrated and Basic clicked.
'What are the permissions that are set on the RPC directory?'
I answered. He meant Directory Security, which has asked when I specifically told him what the permssions were for the RPC virtual directory.
And by the way, my question was answered. My original question: 'From what I read, it may be an authentication issue with IIS and everything under the Default Website?' It was, Exchange had Intergrated and Basic clicked.
Don't take this the wrong way, but your IIS permissions certainly have been messed with - someone has ticked integrated authentication on the default website and said yes to the prompt of "apply this to all subdirectories?"
Your IIS permissions should be like this;
Exadmin: Intergrated Windows Only
Exchange: : Basic Only
ExchWeb: : Anonymous Only
Microsoft-Serv: Intergrated Windows and Basic Only
OMA: Basic Only
Public: Intergrated Windows and Basic Only
Rpc: Integrated Windows and Basic, Default Domain (our domain)
RpcWithCert: Integrated Windows and Basic, Default Domain (our domain)
And the non-exchange stuff
CertControl: Integrated Windows Only
CertEntroll: Anonymous Only
CertSrv: Intergrated Windows Only
Your IIS permissions should be like this;
Exadmin: Intergrated Windows Only
Exchange: : Basic Only
ExchWeb: : Anonymous Only
Microsoft-Serv: Intergrated Windows and Basic Only
OMA: Basic Only
Public: Intergrated Windows and Basic Only
Rpc: Integrated Windows and Basic, Default Domain (our domain)
RpcWithCert: Integrated Windows and Basic, Default Domain (our domain)
And the non-exchange stuff
CertControl: Integrated Windows Only
CertEntroll: Anonymous Only
CertSrv: Intergrated Windows Only
ASKER
Yeah, I called my Coordinator about this and his response 'we're supposed to have everything ticked for Intergrated.' Probably the reason for all the headache with this process...
Final question, we're noticing that if there is a pre-existing Outlook connection on the computer, regardless of being on the network or a remote computer or being on the domain, if the comptuer was originally set up 'on the network' (either in house or connect via the VPN) and we make the switch to connect via HTTP, it works flawlessly (minus having to login to outlook while even being on the network, in the office)
If we're attempting to create the connection for the first time on a machine that has a profile that never connected to our network while setting up initially the Outlook Exchange account, it keeps prompting for the password until we put int domain/username and password where it thinks about it for 10 seconds and says it can't reach the Exchange Server.
Is this normal?
Final question, we're noticing that if there is a pre-existing Outlook connection on the computer, regardless of being on the network or a remote computer or being on the domain, if the comptuer was originally set up 'on the network' (either in house or connect via the VPN) and we make the switch to connect via HTTP, it works flawlessly (minus having to login to outlook while even being on the network, in the office)
If we're attempting to create the connection for the first time on a machine that has a profile that never connected to our network while setting up initially the Outlook Exchange account, it keeps prompting for the password until we put int domain/username and password where it thinks about it for 10 seconds and says it can't reach the Exchange Server.
Is this normal?
When you are on a 'fast' network, it won't ask you for the username+password (see tuturial > uncheck 'on fast networks ...').
The reason that this aint working on an external, slow, network is probably the certificate.
Now, because I haven't heard an answer on my initial question:
- is this an SBS 2003 server?
- how did you add the computers to the domain?
- did you configurer your cert correctly through the 'connect to the internet wizard'
- are the IIS permissins already set to the permisoons of keiran?
The reason that this aint working on an external, slow, network is probably the certificate.
Now, because I haven't heard an answer on my initial question:
- is this an SBS 2003 server?
- how did you add the computers to the domain?
- did you configurer your cert correctly through the 'connect to the internet wizard'
- are the IIS permissins already set to the permisoons of keiran?
ASKER
It's a Microsoft Windows Server 2003, Enterprise Edition, SP 2.
We add computers to the domain by selecting properties from right clicking on My Computer, going to the Computer Name and selecting Change to join the computer on our domain.
Cert works great, through Go Daddy. No Cert errors when hitting HTTPS externally. The Cert is applied to the servers Default Website and populated down, followed instructions to a T on that.
IIS permisions AND directory security are set as previously instructed above.
The Two Ticks for on fast/slow connection connect are selected on my home computer and not at work. Regardless the question remains on whether having a pre-existing Outlook Profile that had originally connected to the network once (either on domain or off) is required for the connection to work. Is that the case?
We add computers to the domain by selecting properties from right clicking on My Computer, going to the Computer Name and selecting Change to join the computer on our domain.
Cert works great, through Go Daddy. No Cert errors when hitting HTTPS externally. The Cert is applied to the servers Default Website and populated down, followed instructions to a T on that.
IIS permisions AND directory security are set as previously instructed above.
The Two Ticks for on fast/slow connection connect are selected on my home computer and not at work. Regardless the question remains on whether having a pre-existing Outlook Profile that had originally connected to the network once (either on domain or off) is required for the connection to work. Is that the case?
ah okay, so you don't have an sbs, that is a whole different issue then.
The computers are joined correctly then.
You don't need any profile that has been connected to the network.
You can configure the rpc when the pc was never joined to the domain.
Are you sure you didn't type any typos?
In 99% of the cases it is a typo or a cert issue.
The computers are joined correctly then.
You don't need any profile that has been connected to the network.
You can configure the rpc when the pc was never joined to the domain.
Are you sure you didn't type any typos?
In 99% of the cases it is a typo or a cert issue.
ASKER
Well let me ask you this, would the Cert be incorrect NOW that Directory Security is all set up correctly? Would that change it at all?
ASKER
UPDATE: Going to the https://server.domain.com goes right through, no problems.
Going to external IP address that's associated with the email server (https://12.XX.22.XXX) gives me a certificate error. What's that all about?
Going to external IP address that's associated with the email server (https://12.XX.22.XXX) gives me a certificate error. What's that all about?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, I have it set up correctly, so it's not that. I swear, this is 100% bizarre, and I can't make heads or tails of it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.