Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

RPC over HTTPS keeps prompting for password

Posted on 2008-06-25
31
Medium Priority
?
4,500 Views
Last Modified: 2008-09-13
I am going crazy. I know I've set up the RPC over HTTPS correctly, but it keeps prompting me for username and password.

One server, modified the registry keys, followed instructions I believe to a T. From what I read, it maaay be an authentication issue with IIS and everything under the Default Website?

If so, this is what I got:
CertControl
CertEntroll
CertSrv
Exadmin
Exchange
ExchWeb
Microsoft-Serv
OMA
Public
Rpc
RpcWithCert
aspnet_client

I can connect to the https://server.domain.com/exchange and http://server.domain.com/exchange.

I have a cert with GoDaddy, properlly installed.
What am I doing wrong?
0
Comment
Question by:pstiffsae
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 7
  • +2
31 Comments
 
LVL 25

Expert Comment

by:kieran_b
ID: 21872161
Is the computer a domain member, and are you using NTLM in outlook?
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21872222
Hello pstiffsae,

(I assume you have an sbs 2003 server?)
Follow the SBS guide on this site:
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way "
No need to modify anything, place everything back the way it was.

Regards,

suppsaws
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 2

Accepted Solution

by:
chesterzoo earned 672 total points
ID: 21873767
i found using the domain\user syntax worked for me...

if not try adding the realm on the security...

Martin
0
 

Author Comment

by:pstiffsae
ID: 21877761
a) It's not on the domain, it's my personal laptop
b) I've tried domain\username, domain/username, username@domain.com, all of those, nothing.
c) we're not using NTLM
d) I've reviewed those two links from other EE questons and they do not help.

What am I doing wrong?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21879588
If it isn't on the domain, and you are not using NTLM, then you will always be prompted.

I believe that even if you enable NTLM, it will prompt you, but you should be able to get it to remember the password.
0
 

Author Comment

by:pstiffsae
ID: 21879947
I dont' mind being prompted, but it's not connecting. It's continually askin gfor the username and password.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21879958
Are you trying this internally?

What are the permissions that are set on the RPC directory?
0
 

Author Comment

by:pstiffsae
ID: 21879975
Trying externally. Completely off the network. No VPN.

Permssions:
Admin (Server/Admin) FULL
Authenticated User Read, List, Read and Execute
CREATEOR OWNER - nothing
Server operators (Server/operators) Full
System Full



0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21879993
Where are you getting those permissions?

I mean directory security in IIS, not file permissions on c:\inetpub
0
 

Author Comment

by:pstiffsae
ID: 21880142
Default Website: Intergrated Windows only
Beneath DW
CertControl: Integrated Windows Only
CertEntroll: Intergrated Windows Only
CertSrv: Intergrated Windows Only
Exadmin: Intergrated Windows Only
Exchange: : Intergrated Windows Only
ExchWeb: : Intergrated Windows Only
Microsoft-Serv: Intergrated Windows Only
OMA: Intergrated Windows Only
Public: Intergrated Windows Only
Rpc: Basic, Default Domain (our domain)
RpcWithCert: Basic, Default Domain (our domain)
aspnet_client: Intergrated Windows Only
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21881249
As I already said, stay off the permissions, and also stay off the NTLM.
There is no need to change a thing on SBS to make rpc working.
Have you already read the page at
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way " ???
the tutorial is already on your RWW page, so just follow that one.
When you can't connect it's 99% chance that it's a typo.
recheck all the things you filled in.
btw, is you cert correct (external FQDN): eg  mail.mydomain.com, if not, rerun the connect to the internet wizard.
0
 
LVL 2

Expert Comment

by:chesterzoo
ID: 21881619
the exchange IIS folder needs to have Basic authentication ticked...

Integrated isnt going to work because the laptop isnt plugged into the domain!

you willl also want the ExchWeb folder doing the same...

Cheers
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21881642
the exchange folder needs to have basic auth tocked, but the Exweb only need anonymous auth ticked.
But as I said, there is no need to change the permissions, they should be fine by default.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21881795
>>But as I said, there is no need to change the permissions, they should be fine by default.

Clearly, they aren't
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21881819
that is probably because there was already some messing around with the permissions ... :p
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21882960
Right, which now defuncts your whole argument of "you shouldn't have to touch anything"

Either the wizards have not been run at all, or some manual configuration has taken place.

At this stage, it is safe to say that the IIS permissions are a mess, and need to be reconfigured - if you want to convince the asker that he needs a reinstall instead, be my guest.
0
 

Author Comment

by:pstiffsae
ID: 21883067
Woah, woah woah. Permission were NOT messed with.

'What are the permissions that are set on the RPC directory?'

I answered. He meant Directory Security, which has asked when I specifically told him what the permssions were for the RPC virtual directory.

And by the way, my question was answered. My original question: 'From what I read, it may be an authentication issue with IIS and everything under the Default Website?' It was, Exchange had Intergrated and Basic clicked.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21888012
Don't take this the wrong way, but your IIS permissions certainly have been messed with - someone has ticked integrated authentication on the default website and said yes to the prompt of "apply this to all subdirectories?"

Your IIS permissions should be like this;

Exadmin: Intergrated Windows Only
Exchange: : Basic Only
ExchWeb: : Anonymous Only
Microsoft-Serv: Intergrated Windows and Basic Only
OMA: Basic Only
Public: Intergrated Windows and Basic Only
Rpc: Integrated Windows and Basic, Default Domain (our domain)
RpcWithCert: Integrated Windows and Basic, Default Domain (our domain)

And the non-exchange stuff

CertControl: Integrated Windows Only
CertEntroll: Anonymous Only
CertSrv: Intergrated Windows Only
0
 

Author Comment

by:pstiffsae
ID: 21888259
Yeah, I called my Coordinator about this and his response 'we're supposed to have everything ticked for Intergrated.' Probably the reason for all the headache with this process...

Final question, we're noticing that if there is a pre-existing Outlook connection on the computer, regardless of being on the network or a remote computer or being on the domain, if the comptuer was originally set up 'on the network' (either in house or connect via the VPN) and we make the switch to connect via HTTP, it works flawlessly (minus having to login to outlook while even being on the network, in the office)

If we're attempting to create the connection for the first time on a machine that has a profile that never connected to our network while setting up initially the Outlook Exchange account, it keeps prompting for the password until we put int domain/username and password where it thinks about it for 10 seconds and says it can't reach the Exchange Server.

Is this normal?
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21896878
When you are on a 'fast' network, it won't ask you for the username+password (see tuturial > uncheck 'on fast networks ...').
The reason that this aint working on an external, slow, network is probably the certificate.
Now, because I haven't heard an answer on my initial question:

- is this an SBS 2003 server?
- how did you add the computers to the domain?
- did you configurer your cert correctly through the 'connect to the internet wizard'
- are the IIS permissins already set to the permisoons of keiran?
0
 

Author Comment

by:pstiffsae
ID: 21898369
It's a Microsoft Windows Server 2003, Enterprise Edition, SP 2.

We add computers to the domain by selecting properties from right clicking on My Computer, going to the Computer Name and selecting Change to join the computer on our domain.

Cert works great, through Go Daddy. No Cert errors when hitting HTTPS externally. The Cert is applied to the servers Default Website and populated down, followed instructions to a T on that.

IIS permisions AND directory security are set as previously instructed above.

The Two Ticks for on fast/slow connection connect are selected on my home computer and not at work. Regardless the question remains on whether having a pre-existing Outlook Profile that had originally connected to the network once (either on domain or off) is required for the connection to work. Is that the case?
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21898627
ah okay, so you don't have an sbs, that is a whole different issue then.
The computers are joined correctly then.
You don't need any profile that has been connected to the network.
You can configure the rpc when the pc was never joined to the domain.
Are you sure you didn't type any typos?
In 99% of the cases it is a typo or a cert issue.
0
 

Author Comment

by:pstiffsae
ID: 21898916
Well let me ask you this, would the Cert be incorrect NOW that Directory Security is all set up correctly? Would that change it at all?
0
 

Author Comment

by:pstiffsae
ID: 21903674
UPDATE: Going to the https://server.domain.com goes right through, no problems.

Going to external IP address that's associated with the email server (https://12.XX.22.XXX) gives me a certificate error. What's that all about?
0
 
LVL 25

Assisted Solution

by:kieran_b
kieran_b earned 664 total points
ID: 21903751
>>What's that all about?

SSL relies on a name - it "certifies" the server you are going to.  If you don't go to a name, but instead to an IP, you have broken the trust of the certificate - you must use a name
0
 

Author Comment

by:pstiffsae
ID: 21903758
So, I have it set up correctly, so it's not that. I swear, this is 100% bizarre, and I can't make heads or tails of it.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21903788
I would run through this -> http://www.amset.info/exchange/rpc-http-client2.asp

Kieran
0
 
LVL 21

Assisted Solution

by:suppsaws
suppsaws earned 664 total points
ID: 21905240
You must use the FQDN of the certificate.
Mostly this is smth like https://mail.mydomain.com/exchange.
Did you install the cert on the client pc? I guess so since you don't get the cert error.
Follow the amset guide 3 times, it'll probably be some kind of typo.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question