JonFleming
asked on
RPC over HTTP to SBS 2003 has stopped working
Running SBS 2003 SP2 with almost all users using Outlook 2003 on XP Pro but the experimental client I'm using has Outlook 2007 on Vista Ultimate. We do not have a 3rd-party certificate, ours is self-signed. Outlook RPC over HTTP has been working flawlessly for a year or so. It stopped working. I didn't change anything. Yeah, I know you've heard that one before.
On the server, the Default Web site | RPC | Properties | Directory Security | Authentication and Access control is correct: anonymous access un-checked, basic authentication checked. I've tried it with and without the Default Domain filled in. In Web Service Extensions | RPC Proxy Server Extension | Properties the path to rpcproxy.dll is correct; C:\Windows\system32\rpcpro xy\rpcprox y.dll.
On the client, Connect to Microsoft Exchange using HTTP is checked, and in Exchange Proxy Settings the URL is https://{my FQDN}, Connect using SSL Only is checked, Only connect to proxy servers that have this principal name in their certificate is msstd:{my FQDN} (that's worded differently in Outlook 2003), On fast networks ... and On slow networks ... are both un-checked, and Use this authentication ... is Basic Authentication.
On the client, if i browse to https://{my FQDN}/RPC/ I get asked for my credentials three times then I get a 401.3 error, which is good. If I run "Outlook.exe /rpcdiag" I get asked for my credentials, various things flash and change, then I get four lines of "... disconnected".
Plus one of my users is going to Israel on Friday, where VPN connectivity is iffy and/or blocked, and she hates OWA.
What more can I do?
On the server, the Default Web site | RPC | Properties | Directory Security | Authentication and Access control is correct: anonymous access un-checked, basic authentication checked. I've tried it with and without the Default Domain filled in. In Web Service Extensions | RPC Proxy Server Extension | Properties the path to rpcproxy.dll is correct; C:\Windows\system32\rpcpro
On the client, Connect to Microsoft Exchange using HTTP is checked, and in Exchange Proxy Settings the URL is https://{my FQDN}, Connect using SSL Only is checked, Only connect to proxy servers that have this principal name in their certificate is msstd:{my FQDN} (that's worded differently in Outlook 2003), On fast networks ... and On slow networks ... are both un-checked, and Use this authentication ... is Basic Authentication.
On the client, if i browse to https://{my FQDN}/RPC/ I get asked for my credentials three times then I get a 401.3 error, which is good. If I run "Outlook.exe /rpcdiag" I get asked for my credentials, various things flash and change, then I get four lines of "... disconnected".
Plus one of my users is going to Israel on Friday, where VPN connectivity is iffy and/or blocked, and she hates OWA.
What more can I do?
ASKER
Oh, I forgot to mention ... zero, one, or both of those boxes checked makes no difference.
ASKER
I've got a Wireshark capture of the interactions between OUtlook and my server. I don't know a lot about what's going on, but it looks like OUtlook reswets the exchange at packet 26. I'm reluctsant to share the entier capture file with my server's IP in it, but I can certainly answer any questions.
RPC-over-HTTP.png
RPC-over-HTTP.png
ASKER
Interestingly, no HTTP packets. I kind of expected some.
Is TLS enabled? Normally it shouldn't be.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
TLS? Dunno, I certainly haven't turned it on. Where would I look?
Some of the packets in the Wireshark capture are listed as protocol TLSv1.
Some of the packets in the Wireshark capture are listed as protocol TLSv1.
Yeah, that's why I'm thinking it's enabled.
In Outlook, go to Tools > Trust Center > Email Security. Make sure the Encrypted box isn't checked.
Jeff
TechSoEasy
In Outlook, go to Tools > Trust Center > Email Security. Make sure the Encrypted box isn't checked.
Jeff
TechSoEasy
ASKER
It appears that I don't have a security center in Outlook 2003. The experimental client with Outlook 2007 had a total hard disk hardware failure and is down right now, so I'm testing using Outlook 2003.
It never rains but it pours ...
It never rains but it pours ...
Ahh... I thought we were talking about Outlook 2007. So, in Outlook 2003, instead of the Trust Center, there's a Security tab in the Options dialogue which has essentially the same settings.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
There's not much there that looks relevant. "Send clear text signed message..." is checked, nothing else. I set all zones to default.
Under the properties of the account, More, Security tab, "Encrypt data between Outlook and server" is un-checked, and "Always prompt for username and password" is unchecked, and "Logon netwrok security" is Kerberos/NTLM (and I tried all of the other settings).
Under the properties of the account, More, Security tab, "Encrypt data between Outlook and server" is un-checked, and "Always prompt for username and password" is unchecked, and "Logon netwrok security" is Kerberos/NTLM (and I tried all of the other settings).
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Techsoeasy: That looks like exactly what I need at this point.
Guswebb: Thanks, but this is happening on lots of XP systems, Small Business Server installs the certificate when the computer joins the domain, and I'm aware of that particualr technique. Definitely a worthwhile post, though!
Guswebb: Thanks, but this is happening on lots of XP systems, Small Business Server installs the certificate when the computer joins the domain, and I'm aware of that particualr technique. Definitely a worthwhile post, though!
Jon,
Guswebb is actually right about the certificate issue with regards to Vista machines. See this article for details: http://blogs.technet.com/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
I'll be curious to hear your results from using RPCPing though.
Jeff
TechSoEasy
Guswebb is actually right about the certificate issue with regards to Vista machines. See this article for details: http://blogs.technet.com/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
I'll be curious to hear your results from using RPCPing though.
Jeff
TechSoEasy
ASKER
Yes, he's right, and I knew all about that before this whole thing happened. But since the problem occurs on XP machines that have been joined to the domain using SBS connectcomputer (which installs the certificate), the certificate store on the client is not the issue.
RPCPing is giving me an error, whihc is a good thing becasue it gives me something to work on, but I haven't had time yet to work on it and a quick Google returns no useful reults for error 413:
C:\Documents and Settings\jfleming\Desktop> rpcping -t ncacn_http -s {FQDN} -o RpcProxy={FQDN} -P "jfleming,BPTC,*" -I "jfleming,BPTC,*" -H 1 -u 10 -a connect -F 3 -v 3 -E -R none
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3
Enter password for server:
Enter password for RPC/HTTP proxy:
RPCPinging proxy server {FQDN} with Echo Request Packet
Sending ping to server
Response from server received: 413
Ping failed.
RPCPing is giving me an error, whihc is a good thing becasue it gives me something to work on, but I haven't had time yet to work on it and a quick Google returns no useful reults for error 413:
C:\Documents and Settings\jfleming\Desktop>
RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
OS Version is: 5.1, Service Pack 3
Enter password for server:
Enter password for RPC/HTTP proxy:
RPCPinging proxy server {FQDN} with Echo Request Packet
Sending ping to server
Response from server received: 413
Ping failed.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Jon
Prior to my encounter with Vista/Outlook2k7 the other day I had extended RPC/HTTP problems using XP/Outlook2k3 in an SBS environment for a long time. A lot of research and a call to M$ support helped me to understand the problem and implement the solution, which stemmed from publication of the self-signed certificate and SBS registry configurations relating to the RPC ports.
Although you mention that the clients have been connected to the domain and therefore the certificate is installed, can you confirm the FQDN of the certificate being correct? Have you attempted to reinstall the certificate on any client machine (just in case it is now different to that when it was first installed)?
As per the link that Jon has provided please check the values in the 'ValidPorts' registry key which can be found in...
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Rpc\Rpc Proxy]
This is where I found one of my problems (the other being the certificate FQDN).
Gus
Prior to my encounter with Vista/Outlook2k7 the other day I had extended RPC/HTTP problems using XP/Outlook2k3 in an SBS environment for a long time. A lot of research and a call to M$ support helped me to understand the problem and implement the solution, which stemmed from publication of the self-signed certificate and SBS registry configurations relating to the RPC ports.
Although you mention that the clients have been connected to the domain and therefore the certificate is installed, can you confirm the FQDN of the certificate being correct? Have you attempted to reinstall the certificate on any client machine (just in case it is now different to that when it was first installed)?
As per the link that Jon has provided please check the values in the 'ValidPorts' registry key which can be found in...
[HKEY_LOCAL_MACHINE\SOFTWA
This is where I found one of my problems (the other being the certificate FQDN).
Gus
That's essentially what is described in the thread I linked above.
Jeff
TechSoEasy
Jeff
TechSoEasy
Not entirely as I am suggesting that there could still be certificate issues that have nothing to do with the registry ports configuration. In my situation (which was identical to Jon's description of the issues in hand) I had problems in both areas and RPC/HTTP didn't work until I resolved them BOTH.
The thread mentions both even though the selected solution is regarding ports.
ASKER
Techsoeasy: thanks, I'll check it out in the next few hours ... do I need to reboot to have changes take effect? Or maybe just reset IIS?
guswebb: I gave my URL to a third-party expert and he connected, installed my cert, and confirmed the validity. I have not tried reinstalling it ... I can do that.
guswebb: I gave my URL to a third-party expert and he connected, installed my cert, and confirmed the validity. I have not tried reinstalling it ... I can do that.
ASKER
Ok, the ValidPorts key was:
bptc-server:593;bptc-serve r:6001-600 2;bptc-ser ver:6004;b ptc-server .bioproces sconsultan ts.local:5 93;bptc-se rver.biopr ocessconsu ltants.loc al:6001-60 02;bptc-se rver.biopr ocessconsu ltants.loc al:6004
I changed it to:
bptc-server:100-5000;bptc- server:600 1-6002;bpt c-server:6 004;bptc-s erver.biop rocesscons ultants.lo cal:6001-6 002;bptc-s erver.biop rocesscons ultants.lo cal:6004;{ FQDN}:6001 -6002;{FQD N}:6004
In addition, I changed the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices\Tcp ip\Paramet ers\Reserv edPorts to:
1433-1434
1801-1801
3343-3343
1645-1646
1701-1701
1812-1813
2883-2883
4500-4500
37095-37096
6001-6002
6004-6004
(see http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx).
I restarted IIS.
On a Vista machine that's never previously seen our network, I ran IE as administrator, went to OWA, and installed the certificate in the Trusted Root Authorities store. Now when I go to OWA on that machine I get a strange cert request: see http://i2.photobucket.com/albums/y10/JonF/Certquestion.png. If I clock OK I get OWA with no pink in the security report or address. But RPCPing still gives a 413.
bptc-server:593;bptc-serve
I changed it to:
bptc-server:100-5000;bptc-
In addition, I changed the HKEY_LOCAL_MACHINE\SYSTEM\
1433-1434
1801-1801
3343-3343
1645-1646
1701-1701
1812-1813
2883-2883
4500-4500
37095-37096
6001-6002
6004-6004
(see http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx).
I restarted IIS.
On a Vista machine that's never previously seen our network, I ran IE as administrator, went to OWA, and installed the certificate in the Trusted Root Authorities store. Now when I go to OWA on that machine I get a strange cert request: see http://i2.photobucket.com/albums/y10/JonF/Certquestion.png. If I clock OK I get OWA with no pink in the security report or address. But RPCPing still gives a 413.
In the future, please post any screen shots directly to the thread by clicking on the "attach file" box.
The error message you are getting is because the Default Web Site security settings have been changed to "Accept client certificates". Open up the properties of the default web site, and on the directory security tab under Secur communications, click the Edit... button.
The only things that should be set on that screen are Require secure channel (SSL), Require 128-bit encryption, and Ignore client certificates.
Jeff
TechSoEasy
The error message you are getting is because the Default Web Site security settings have been changed to "Accept client certificates". Open up the properties of the default web site, and on the directory security tab under Secur communications, click the Edit... button.
The only things that should be set on that screen are Require secure channel (SSL), Require 128-bit encryption, and Ignore client certificates.
Jeff
TechSoEasy
ASKER
Whoops, sorry, I can't keep track of which sites allow what in the way of posting images. Here it is for the benefit of future generations.
On the referenced page Allow CLlent Certificates was on; I set it to Ignore. Require SSL and require 128 bit were off; I set them to on. I was asked if I wanted to propagate the changes to lower web sites with different settings, and I did so for all of them.
I rebooted the server (there was an unrelated problem) and now, Lo and Behold, RPC over HTTP is working!! One user reports his Treo is failign to get emial, so maybe I've broken that, but that's another story.
Thanks for all your help!!
Certquestion.png
On the referenced page Allow CLlent Certificates was on; I set it to Ignore. Require SSL and require 128 bit were off; I set them to on. I was asked if I wanted to propagate the changes to lower web sites with different settings, and I did so for all of them.
I rebooted the server (there was an unrelated problem) and now, Lo and Behold, RPC over HTTP is working!! One user reports his Treo is failign to get emial, so maybe I've broken that, but that's another story.
Thanks for all your help!!
Certquestion.png
Terrific! Glad you got it working!
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
One final comment: "Require SSL" and "Require 128 bits" have to be off in order for Treos to receive Exchange email (assuming that you are using a self-signed certificate as we are, so Treos must not be set to use SSL because they will not accept a self-signed certificate).
You can certainly install a self signed certificate in a Windows Based Treo. For a Palm based Treo's you might need to modify the ssl certificate for it to install.
For Windows devices, see http://sbsurl.com/mobile
For Palm devices see http://www.palm.com/us/support/downloads/versamail/certmodtool.html
Jeff
TechSoEasy
For Windows devices, see http://sbsurl.com/mobile
For Palm devices see http://www.palm.com/us/support/downloads/versamail/certmodtool.html
Jeff
TechSoEasy
ASKER
Thanks for pointing that out. I think that's relatively new, I couldn't find anything like it a year or so ago. And I definteily recall a statement on the Palm web site that a crtificate traceable to the factoryt-installed trusted list was required.
It's always easier to sync mobile devices if you have a 3rd party certificate. Considering you can get those for around $20.00, it really doesn't make much sense to use a self-signed certificate if you have a number of different mobile devices.
If you go that route, check out http://sbsurl.com/ssl for instructions on how to order it and install.
Jeff
TechSoEasy
If you go that route, check out http://sbsurl.com/ssl for instructions on how to order it and install.
Jeff
TechSoEasy
If both are unchecked, it's not going to connect via HTTP, yet you've checked the box on the Connection tab that says "Connect to Microsoft Exchange using HTTP".
You need to check at least the "On Slow Networks" box.
Jeff
TechSoEasy