Solved

RPC over HTTPS keeps prompting for password

Posted on 2008-06-25
31
4,423 Views
Last Modified: 2008-09-13
I am going crazy. I know I've set up the RPC over HTTPS correctly, but it keeps prompting me for username and password.

One server, modified the registry keys, followed instructions I believe to a T. From what I read, it maaay be an authentication issue with IIS and everything under the Default Website?

If so, this is what I got:
CertControl
CertEntroll
CertSrv
Exadmin
Exchange
ExchWeb
Microsoft-Serv
OMA
Public
Rpc
RpcWithCert
aspnet_client

I can connect to the https://server.domain.com/exchange and http://server.domain.com/exchange.

I have a cert with GoDaddy, properlly installed.
What am I doing wrong?
0
Comment
Question by:pstiffsae
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 7
  • +2
31 Comments
 
LVL 25

Expert Comment

by:kieran_b
ID: 21872161
Is the computer a domain member, and are you using NTLM in outlook?
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21872222
Hello pstiffsae,

(I assume you have an sbs 2003 server?)
Follow the SBS guide on this site:
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way "
No need to modify anything, place everything back the way it was.

Regards,

suppsaws
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 2

Accepted Solution

by:
chesterzoo earned 168 total points
ID: 21873767
i found using the domain\user syntax worked for me...

if not try adding the realm on the security...

Martin
0
 

Author Comment

by:pstiffsae
ID: 21877761
a) It's not on the domain, it's my personal laptop
b) I've tried domain\username, domain/username, username@domain.com, all of those, nothing.
c) we're not using NTLM
d) I've reviewed those two links from other EE questons and they do not help.

What am I doing wrong?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21879588
If it isn't on the domain, and you are not using NTLM, then you will always be prompted.

I believe that even if you enable NTLM, it will prompt you, but you should be able to get it to remember the password.
0
 

Author Comment

by:pstiffsae
ID: 21879947
I dont' mind being prompted, but it's not connecting. It's continually askin gfor the username and password.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21879958
Are you trying this internally?

What are the permissions that are set on the RPC directory?
0
 

Author Comment

by:pstiffsae
ID: 21879975
Trying externally. Completely off the network. No VPN.

Permssions:
Admin (Server/Admin) FULL
Authenticated User Read, List, Read and Execute
CREATEOR OWNER - nothing
Server operators (Server/operators) Full
System Full



0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21879993
Where are you getting those permissions?

I mean directory security in IIS, not file permissions on c:\inetpub
0
 

Author Comment

by:pstiffsae
ID: 21880142
Default Website: Intergrated Windows only
Beneath DW
CertControl: Integrated Windows Only
CertEntroll: Intergrated Windows Only
CertSrv: Intergrated Windows Only
Exadmin: Intergrated Windows Only
Exchange: : Intergrated Windows Only
ExchWeb: : Intergrated Windows Only
Microsoft-Serv: Intergrated Windows Only
OMA: Intergrated Windows Only
Public: Intergrated Windows Only
Rpc: Basic, Default Domain (our domain)
RpcWithCert: Basic, Default Domain (our domain)
aspnet_client: Intergrated Windows Only
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21881249
As I already said, stay off the permissions, and also stay off the NTLM.
There is no need to change a thing on SBS to make rpc working.
Have you already read the page at
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way " ???
the tutorial is already on your RWW page, so just follow that one.
When you can't connect it's 99% chance that it's a typo.
recheck all the things you filled in.
btw, is you cert correct (external FQDN): eg  mail.mydomain.com, if not, rerun the connect to the internet wizard.
0
 
LVL 2

Expert Comment

by:chesterzoo
ID: 21881619
the exchange IIS folder needs to have Basic authentication ticked...

Integrated isnt going to work because the laptop isnt plugged into the domain!

you willl also want the ExchWeb folder doing the same...

Cheers
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21881642
the exchange folder needs to have basic auth tocked, but the Exweb only need anonymous auth ticked.
But as I said, there is no need to change the permissions, they should be fine by default.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21881795
>>But as I said, there is no need to change the permissions, they should be fine by default.

Clearly, they aren't
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21881819
that is probably because there was already some messing around with the permissions ... :p
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21882960
Right, which now defuncts your whole argument of "you shouldn't have to touch anything"

Either the wizards have not been run at all, or some manual configuration has taken place.

At this stage, it is safe to say that the IIS permissions are a mess, and need to be reconfigured - if you want to convince the asker that he needs a reinstall instead, be my guest.
0
 

Author Comment

by:pstiffsae
ID: 21883067
Woah, woah woah. Permission were NOT messed with.

'What are the permissions that are set on the RPC directory?'

I answered. He meant Directory Security, which has asked when I specifically told him what the permssions were for the RPC virtual directory.

And by the way, my question was answered. My original question: 'From what I read, it may be an authentication issue with IIS and everything under the Default Website?' It was, Exchange had Intergrated and Basic clicked.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21888012
Don't take this the wrong way, but your IIS permissions certainly have been messed with - someone has ticked integrated authentication on the default website and said yes to the prompt of "apply this to all subdirectories?"

Your IIS permissions should be like this;

Exadmin: Intergrated Windows Only
Exchange: : Basic Only
ExchWeb: : Anonymous Only
Microsoft-Serv: Intergrated Windows and Basic Only
OMA: Basic Only
Public: Intergrated Windows and Basic Only
Rpc: Integrated Windows and Basic, Default Domain (our domain)
RpcWithCert: Integrated Windows and Basic, Default Domain (our domain)

And the non-exchange stuff

CertControl: Integrated Windows Only
CertEntroll: Anonymous Only
CertSrv: Intergrated Windows Only
0
 

Author Comment

by:pstiffsae
ID: 21888259
Yeah, I called my Coordinator about this and his response 'we're supposed to have everything ticked for Intergrated.' Probably the reason for all the headache with this process...

Final question, we're noticing that if there is a pre-existing Outlook connection on the computer, regardless of being on the network or a remote computer or being on the domain, if the comptuer was originally set up 'on the network' (either in house or connect via the VPN) and we make the switch to connect via HTTP, it works flawlessly (minus having to login to outlook while even being on the network, in the office)

If we're attempting to create the connection for the first time on a machine that has a profile that never connected to our network while setting up initially the Outlook Exchange account, it keeps prompting for the password until we put int domain/username and password where it thinks about it for 10 seconds and says it can't reach the Exchange Server.

Is this normal?
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21896878
When you are on a 'fast' network, it won't ask you for the username+password (see tuturial > uncheck 'on fast networks ...').
The reason that this aint working on an external, slow, network is probably the certificate.
Now, because I haven't heard an answer on my initial question:

- is this an SBS 2003 server?
- how did you add the computers to the domain?
- did you configurer your cert correctly through the 'connect to the internet wizard'
- are the IIS permissins already set to the permisoons of keiran?
0
 

Author Comment

by:pstiffsae
ID: 21898369
It's a Microsoft Windows Server 2003, Enterprise Edition, SP 2.

We add computers to the domain by selecting properties from right clicking on My Computer, going to the Computer Name and selecting Change to join the computer on our domain.

Cert works great, through Go Daddy. No Cert errors when hitting HTTPS externally. The Cert is applied to the servers Default Website and populated down, followed instructions to a T on that.

IIS permisions AND directory security are set as previously instructed above.

The Two Ticks for on fast/slow connection connect are selected on my home computer and not at work. Regardless the question remains on whether having a pre-existing Outlook Profile that had originally connected to the network once (either on domain or off) is required for the connection to work. Is that the case?
0
 
LVL 21

Expert Comment

by:suppsaws
ID: 21898627
ah okay, so you don't have an sbs, that is a whole different issue then.
The computers are joined correctly then.
You don't need any profile that has been connected to the network.
You can configure the rpc when the pc was never joined to the domain.
Are you sure you didn't type any typos?
In 99% of the cases it is a typo or a cert issue.
0
 

Author Comment

by:pstiffsae
ID: 21898916
Well let me ask you this, would the Cert be incorrect NOW that Directory Security is all set up correctly? Would that change it at all?
0
 

Author Comment

by:pstiffsae
ID: 21903674
UPDATE: Going to the https://server.domain.com goes right through, no problems.

Going to external IP address that's associated with the email server (https://12.XX.22.XXX) gives me a certificate error. What's that all about?
0
 
LVL 25

Assisted Solution

by:kieran_b
kieran_b earned 166 total points
ID: 21903751
>>What's that all about?

SSL relies on a name - it "certifies" the server you are going to.  If you don't go to a name, but instead to an IP, you have broken the trust of the certificate - you must use a name
0
 

Author Comment

by:pstiffsae
ID: 21903758
So, I have it set up correctly, so it's not that. I swear, this is 100% bizarre, and I can't make heads or tails of it.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21903788
I would run through this -> http://www.amset.info/exchange/rpc-http-client2.asp

Kieran
0
 
LVL 21

Assisted Solution

by:suppsaws
suppsaws earned 166 total points
ID: 21905240
You must use the FQDN of the certificate.
Mostly this is smth like https://mail.mydomain.com/exchange.
Did you install the cert on the client pc? I guess so since you don't get the cert error.
Follow the amset guide 3 times, it'll probably be some kind of typo.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question