[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4529
  • Last Modified:

RPC over HTTPS keeps prompting for password

I am going crazy. I know I've set up the RPC over HTTPS correctly, but it keeps prompting me for username and password.

One server, modified the registry keys, followed instructions I believe to a T. From what I read, it maaay be an authentication issue with IIS and everything under the Default Website?

If so, this is what I got:
CertControl
CertEntroll
CertSrv
Exadmin
Exchange
ExchWeb
Microsoft-Serv
OMA
Public
Rpc
RpcWithCert
aspnet_client

I can connect to the https://server.domain.com/exchange and http://server.domain.com/exchange.

I have a cert with GoDaddy, properlly installed.
What am I doing wrong?
0
pstiffsae
Asked:
pstiffsae
  • 10
  • 9
  • 7
  • +2
3 Solutions
 
kieran_bCommented:
Is the computer a domain member, and are you using NTLM in outlook?
0
 
suppsawsCommented:
Hello pstiffsae,

(I assume you have an sbs 2003 server?)
Follow the SBS guide on this site:
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way "
No need to modify anything, place everything back the way it was.

Regards,

suppsaws
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
chesterzooCommented:
i found using the domain\user syntax worked for me...

if not try adding the realm on the security...

Martin
0
 
pstiffsaeAuthor Commented:
a) It's not on the domain, it's my personal laptop
b) I've tried domain\username, domain/username, username@domain.com, all of those, nothing.
c) we're not using NTLM
d) I've reviewed those two links from other EE questons and they do not help.

What am I doing wrong?
0
 
kieran_bCommented:
If it isn't on the domain, and you are not using NTLM, then you will always be prompted.

I believe that even if you enable NTLM, it will prompt you, but you should be able to get it to remember the password.
0
 
pstiffsaeAuthor Commented:
I dont' mind being prompted, but it's not connecting. It's continually askin gfor the username and password.
0
 
kieran_bCommented:
Are you trying this internally?

What are the permissions that are set on the RPC directory?
0
 
pstiffsaeAuthor Commented:
Trying externally. Completely off the network. No VPN.

Permssions:
Admin (Server/Admin) FULL
Authenticated User Read, List, Read and Execute
CREATEOR OWNER - nothing
Server operators (Server/operators) Full
System Full



0
 
kieran_bCommented:
Where are you getting those permissions?

I mean directory security in IIS, not file permissions on c:\inetpub
0
 
pstiffsaeAuthor Commented:
Default Website: Intergrated Windows only
Beneath DW
CertControl: Integrated Windows Only
CertEntroll: Intergrated Windows Only
CertSrv: Intergrated Windows Only
Exadmin: Intergrated Windows Only
Exchange: : Intergrated Windows Only
ExchWeb: : Intergrated Windows Only
Microsoft-Serv: Intergrated Windows Only
OMA: Intergrated Windows Only
Public: Intergrated Windows Only
Rpc: Basic, Default Domain (our domain)
RpcWithCert: Basic, Default Domain (our domain)
aspnet_client: Intergrated Windows Only
0
 
suppsawsCommented:
As I already said, stay off the permissions, and also stay off the NTLM.
There is no need to change a thing on SBS to make rpc working.
Have you already read the page at
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way " ???
the tutorial is already on your RWW page, so just follow that one.
When you can't connect it's 99% chance that it's a typo.
recheck all the things you filled in.
btw, is you cert correct (external FQDN): eg  mail.mydomain.com, if not, rerun the connect to the internet wizard.
0
 
chesterzooCommented:
the exchange IIS folder needs to have Basic authentication ticked...

Integrated isnt going to work because the laptop isnt plugged into the domain!

you willl also want the ExchWeb folder doing the same...

Cheers
0
 
suppsawsCommented:
the exchange folder needs to have basic auth tocked, but the Exweb only need anonymous auth ticked.
But as I said, there is no need to change the permissions, they should be fine by default.
0
 
kieran_bCommented:
>>But as I said, there is no need to change the permissions, they should be fine by default.

Clearly, they aren't
0
 
suppsawsCommented:
that is probably because there was already some messing around with the permissions ... :p
0
 
kieran_bCommented:
Right, which now defuncts your whole argument of "you shouldn't have to touch anything"

Either the wizards have not been run at all, or some manual configuration has taken place.

At this stage, it is safe to say that the IIS permissions are a mess, and need to be reconfigured - if you want to convince the asker that he needs a reinstall instead, be my guest.
0
 
pstiffsaeAuthor Commented:
Woah, woah woah. Permission were NOT messed with.

'What are the permissions that are set on the RPC directory?'

I answered. He meant Directory Security, which has asked when I specifically told him what the permssions were for the RPC virtual directory.

And by the way, my question was answered. My original question: 'From what I read, it may be an authentication issue with IIS and everything under the Default Website?' It was, Exchange had Intergrated and Basic clicked.
0
 
kieran_bCommented:
Don't take this the wrong way, but your IIS permissions certainly have been messed with - someone has ticked integrated authentication on the default website and said yes to the prompt of "apply this to all subdirectories?"

Your IIS permissions should be like this;

Exadmin: Intergrated Windows Only
Exchange: : Basic Only
ExchWeb: : Anonymous Only
Microsoft-Serv: Intergrated Windows and Basic Only
OMA: Basic Only
Public: Intergrated Windows and Basic Only
Rpc: Integrated Windows and Basic, Default Domain (our domain)
RpcWithCert: Integrated Windows and Basic, Default Domain (our domain)

And the non-exchange stuff

CertControl: Integrated Windows Only
CertEntroll: Anonymous Only
CertSrv: Intergrated Windows Only
0
 
pstiffsaeAuthor Commented:
Yeah, I called my Coordinator about this and his response 'we're supposed to have everything ticked for Intergrated.' Probably the reason for all the headache with this process...

Final question, we're noticing that if there is a pre-existing Outlook connection on the computer, regardless of being on the network or a remote computer or being on the domain, if the comptuer was originally set up 'on the network' (either in house or connect via the VPN) and we make the switch to connect via HTTP, it works flawlessly (minus having to login to outlook while even being on the network, in the office)

If we're attempting to create the connection for the first time on a machine that has a profile that never connected to our network while setting up initially the Outlook Exchange account, it keeps prompting for the password until we put int domain/username and password where it thinks about it for 10 seconds and says it can't reach the Exchange Server.

Is this normal?
0
 
suppsawsCommented:
When you are on a 'fast' network, it won't ask you for the username+password (see tuturial > uncheck 'on fast networks ...').
The reason that this aint working on an external, slow, network is probably the certificate.
Now, because I haven't heard an answer on my initial question:

- is this an SBS 2003 server?
- how did you add the computers to the domain?
- did you configurer your cert correctly through the 'connect to the internet wizard'
- are the IIS permissins already set to the permisoons of keiran?
0
 
pstiffsaeAuthor Commented:
It's a Microsoft Windows Server 2003, Enterprise Edition, SP 2.

We add computers to the domain by selecting properties from right clicking on My Computer, going to the Computer Name and selecting Change to join the computer on our domain.

Cert works great, through Go Daddy. No Cert errors when hitting HTTPS externally. The Cert is applied to the servers Default Website and populated down, followed instructions to a T on that.

IIS permisions AND directory security are set as previously instructed above.

The Two Ticks for on fast/slow connection connect are selected on my home computer and not at work. Regardless the question remains on whether having a pre-existing Outlook Profile that had originally connected to the network once (either on domain or off) is required for the connection to work. Is that the case?
0
 
suppsawsCommented:
ah okay, so you don't have an sbs, that is a whole different issue then.
The computers are joined correctly then.
You don't need any profile that has been connected to the network.
You can configure the rpc when the pc was never joined to the domain.
Are you sure you didn't type any typos?
In 99% of the cases it is a typo or a cert issue.
0
 
pstiffsaeAuthor Commented:
Well let me ask you this, would the Cert be incorrect NOW that Directory Security is all set up correctly? Would that change it at all?
0
 
pstiffsaeAuthor Commented:
UPDATE: Going to the https://server.domain.com goes right through, no problems.

Going to external IP address that's associated with the email server (https://12.XX.22.XXX) gives me a certificate error. What's that all about?
0
 
kieran_bCommented:
>>What's that all about?

SSL relies on a name - it "certifies" the server you are going to.  If you don't go to a name, but instead to an IP, you have broken the trust of the certificate - you must use a name
0
 
pstiffsaeAuthor Commented:
So, I have it set up correctly, so it's not that. I swear, this is 100% bizarre, and I can't make heads or tails of it.
0
 
kieran_bCommented:
I would run through this -> http://www.amset.info/exchange/rpc-http-client2.asp

Kieran
0
 
suppsawsCommented:
You must use the FQDN of the certificate.
Mostly this is smth like https://mail.mydomain.com/exchange.
Did you install the cert on the client pc? I guess so since you don't get the cert error.
Follow the amset guide 3 times, it'll probably be some kind of typo.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 10
  • 9
  • 7
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now