Solved

RPC over HTTPS keeps prompting for password

Posted on 2008-06-25
31
4,340 Views
Last Modified: 2008-09-13
I am going crazy. I know I've set up the RPC over HTTPS correctly, but it keeps prompting me for username and password.

One server, modified the registry keys, followed instructions I believe to a T. From what I read, it maaay be an authentication issue with IIS and everything under the Default Website?

If so, this is what I got:
CertControl
CertEntroll
CertSrv
Exadmin
Exchange
ExchWeb
Microsoft-Serv
OMA
Public
Rpc
RpcWithCert
aspnet_client

I can connect to the https://server.domain.com/exchange and http://server.domain.com/exchange.

I have a cert with GoDaddy, properlly installed.
What am I doing wrong?
0
Comment
Question by:pstiffsae
  • 10
  • 9
  • 7
  • +2
31 Comments
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
Is the computer a domain member, and are you using NTLM in outlook?
0
 
LVL 21

Expert Comment

by:suppsaws
Comment Utility
Hello pstiffsae,

(I assume you have an sbs 2003 server?)
Follow the SBS guide on this site:
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way "
No need to modify anything, place everything back the way it was.

Regards,

suppsaws
0
 
LVL 2

Expert Comment

by:chand_shahzad
Comment Utility
0
 
LVL 2

Accepted Solution

by:
chesterzoo earned 168 total points
Comment Utility
i found using the domain\user syntax worked for me...

if not try adding the realm on the security...

Martin
0
 

Author Comment

by:pstiffsae
Comment Utility
a) It's not on the domain, it's my personal laptop
b) I've tried domain\username, domain/username, username@domain.com, all of those, nothing.
c) we're not using NTLM
d) I've reviewed those two links from other EE questons and they do not help.

What am I doing wrong?
0
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
If it isn't on the domain, and you are not using NTLM, then you will always be prompted.

I believe that even if you enable NTLM, it will prompt you, but you should be able to get it to remember the password.
0
 

Author Comment

by:pstiffsae
Comment Utility
I dont' mind being prompted, but it's not connecting. It's continually askin gfor the username and password.
0
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
Are you trying this internally?

What are the permissions that are set on the RPC directory?
0
 

Author Comment

by:pstiffsae
Comment Utility
Trying externally. Completely off the network. No VPN.

Permssions:
Admin (Server/Admin) FULL
Authenticated User Read, List, Read and Execute
CREATEOR OWNER - nothing
Server operators (Server/operators) Full
System Full



0
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
Where are you getting those permissions?

I mean directory security in IIS, not file permissions on c:\inetpub
0
 

Author Comment

by:pstiffsae
Comment Utility
Default Website: Intergrated Windows only
Beneath DW
CertControl: Integrated Windows Only
CertEntroll: Intergrated Windows Only
CertSrv: Intergrated Windows Only
Exadmin: Intergrated Windows Only
Exchange: : Intergrated Windows Only
ExchWeb: : Intergrated Windows Only
Microsoft-Serv: Intergrated Windows Only
OMA: Intergrated Windows Only
Public: Intergrated Windows Only
Rpc: Basic, Default Domain (our domain)
RpcWithCert: Basic, Default Domain (our domain)
aspnet_client: Intergrated Windows Only
0
 
LVL 21

Expert Comment

by:suppsaws
Comment Utility
As I already said, stay off the permissions, and also stay off the NTLM.
There is no need to change a thing on SBS to make rpc working.
Have you already read the page at
http://sbs.editme.com/Exchange
"How to configure outlook over the internet (rpc over https) the correct - SBS - way " ???
the tutorial is already on your RWW page, so just follow that one.
When you can't connect it's 99% chance that it's a typo.
recheck all the things you filled in.
btw, is you cert correct (external FQDN): eg  mail.mydomain.com, if not, rerun the connect to the internet wizard.
0
 
LVL 2

Expert Comment

by:chesterzoo
Comment Utility
the exchange IIS folder needs to have Basic authentication ticked...

Integrated isnt going to work because the laptop isnt plugged into the domain!

you willl also want the ExchWeb folder doing the same...

Cheers
0
 
LVL 21

Expert Comment

by:suppsaws
Comment Utility
the exchange folder needs to have basic auth tocked, but the Exweb only need anonymous auth ticked.
But as I said, there is no need to change the permissions, they should be fine by default.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
>>But as I said, there is no need to change the permissions, they should be fine by default.

Clearly, they aren't
0
 
LVL 21

Expert Comment

by:suppsaws
Comment Utility
that is probably because there was already some messing around with the permissions ... :p
0
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
Right, which now defuncts your whole argument of "you shouldn't have to touch anything"

Either the wizards have not been run at all, or some manual configuration has taken place.

At this stage, it is safe to say that the IIS permissions are a mess, and need to be reconfigured - if you want to convince the asker that he needs a reinstall instead, be my guest.
0
 

Author Comment

by:pstiffsae
Comment Utility
Woah, woah woah. Permission were NOT messed with.

'What are the permissions that are set on the RPC directory?'

I answered. He meant Directory Security, which has asked when I specifically told him what the permssions were for the RPC virtual directory.

And by the way, my question was answered. My original question: 'From what I read, it may be an authentication issue with IIS and everything under the Default Website?' It was, Exchange had Intergrated and Basic clicked.
0
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
Don't take this the wrong way, but your IIS permissions certainly have been messed with - someone has ticked integrated authentication on the default website and said yes to the prompt of "apply this to all subdirectories?"

Your IIS permissions should be like this;

Exadmin: Intergrated Windows Only
Exchange: : Basic Only
ExchWeb: : Anonymous Only
Microsoft-Serv: Intergrated Windows and Basic Only
OMA: Basic Only
Public: Intergrated Windows and Basic Only
Rpc: Integrated Windows and Basic, Default Domain (our domain)
RpcWithCert: Integrated Windows and Basic, Default Domain (our domain)

And the non-exchange stuff

CertControl: Integrated Windows Only
CertEntroll: Anonymous Only
CertSrv: Intergrated Windows Only
0
 

Author Comment

by:pstiffsae
Comment Utility
Yeah, I called my Coordinator about this and his response 'we're supposed to have everything ticked for Intergrated.' Probably the reason for all the headache with this process...

Final question, we're noticing that if there is a pre-existing Outlook connection on the computer, regardless of being on the network or a remote computer or being on the domain, if the comptuer was originally set up 'on the network' (either in house or connect via the VPN) and we make the switch to connect via HTTP, it works flawlessly (minus having to login to outlook while even being on the network, in the office)

If we're attempting to create the connection for the first time on a machine that has a profile that never connected to our network while setting up initially the Outlook Exchange account, it keeps prompting for the password until we put int domain/username and password where it thinks about it for 10 seconds and says it can't reach the Exchange Server.

Is this normal?
0
 
LVL 21

Expert Comment

by:suppsaws
Comment Utility
When you are on a 'fast' network, it won't ask you for the username+password (see tuturial > uncheck 'on fast networks ...').
The reason that this aint working on an external, slow, network is probably the certificate.
Now, because I haven't heard an answer on my initial question:

- is this an SBS 2003 server?
- how did you add the computers to the domain?
- did you configurer your cert correctly through the 'connect to the internet wizard'
- are the IIS permissins already set to the permisoons of keiran?
0
 

Author Comment

by:pstiffsae
Comment Utility
It's a Microsoft Windows Server 2003, Enterprise Edition, SP 2.

We add computers to the domain by selecting properties from right clicking on My Computer, going to the Computer Name and selecting Change to join the computer on our domain.

Cert works great, through Go Daddy. No Cert errors when hitting HTTPS externally. The Cert is applied to the servers Default Website and populated down, followed instructions to a T on that.

IIS permisions AND directory security are set as previously instructed above.

The Two Ticks for on fast/slow connection connect are selected on my home computer and not at work. Regardless the question remains on whether having a pre-existing Outlook Profile that had originally connected to the network once (either on domain or off) is required for the connection to work. Is that the case?
0
 
LVL 21

Expert Comment

by:suppsaws
Comment Utility
ah okay, so you don't have an sbs, that is a whole different issue then.
The computers are joined correctly then.
You don't need any profile that has been connected to the network.
You can configure the rpc when the pc was never joined to the domain.
Are you sure you didn't type any typos?
In 99% of the cases it is a typo or a cert issue.
0
 

Author Comment

by:pstiffsae
Comment Utility
Well let me ask you this, would the Cert be incorrect NOW that Directory Security is all set up correctly? Would that change it at all?
0
 

Author Comment

by:pstiffsae
Comment Utility
UPDATE: Going to the https://server.domain.com goes right through, no problems.

Going to external IP address that's associated with the email server (https://12.XX.22.XXX) gives me a certificate error. What's that all about?
0
 
LVL 25

Assisted Solution

by:kieran_b
kieran_b earned 166 total points
Comment Utility
>>What's that all about?

SSL relies on a name - it "certifies" the server you are going to.  If you don't go to a name, but instead to an IP, you have broken the trust of the certificate - you must use a name
0
 

Author Comment

by:pstiffsae
Comment Utility
So, I have it set up correctly, so it's not that. I swear, this is 100% bizarre, and I can't make heads or tails of it.
0
 
LVL 25

Expert Comment

by:kieran_b
Comment Utility
I would run through this -> http://www.amset.info/exchange/rpc-http-client2.asp

Kieran
0
 
LVL 21

Assisted Solution

by:suppsaws
suppsaws earned 166 total points
Comment Utility
You must use the FQDN of the certificate.
Mostly this is smth like https://mail.mydomain.com/exchange.
Did you install the cert on the client pc? I guess so since you don't get the cert error.
Follow the amset guide 3 times, it'll probably be some kind of typo.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now