?
Solved

RPC Over HTTPS

Posted on 2009-04-16
21
Medium Priority
?
1,106 Views
Last Modified: 2012-05-06
Ok I give up.  I have been on this task for 4 hours now.  I have "single" exchange server 2003 with SP2 installed and configured as a backend server as instructed.  I have modified the register like in the below code.  I have enabled SSL and am able to able to browse to my domain using OWA using SSL just fine.  http://www.ryhal.com/exchange

I have configured the IIS RPC virtual diretory's.  I have tried to setup Outlook 2007 to connec to the FQDN NetBIOS names "sls-ce10p12" and "sls-ce10p12.dca2.superb.net" and then enabled Connect Using HTTP.  I have TCP ports open on the firewall 6000 thru 6004.  I am prompted for credentials within outlook, but no luck when I type them in.  I even ryhal DOMAINNAME\USER with nothing.  Any ideas or is there an easier way?  I don't want to POP the email.   The domain name is RYHAL.COM
sls-ce10p12:6001-6002;sls-ce10p12.dca2.superb.net:6001-6002;ryhal.com:6001-6002;sls-ce10p12:6004;sls-ce10p12.dca2.superb.net:6004;ryhal.com:6004

Open in new window

0
Comment
Question by:chrisryhal
  • 13
  • 7
21 Comments
 
LVL 9

Expert Comment

by:Raghuv
ID: 24166130
Check out the below articles to confirm if you have setup rpc over http correctly,

http://www.msexchange.org/tutorials/outlookrpchttp.html
http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm
http://www.petri.co.il/testing_rpc_over_http_connection.htm
http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html

PS: Also check if you are getting a blank page, when you try to browse the rpcproxy.dll from the computer where you have Outlook installed (https://mail.domain.com/rpc/rpcproxy.dll)
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24166162
The only entries that should be in the registry are the ones that match the host name on your SSL certificate. I don't know why you have those other names in there.

Is the SSL certificate a commercial one or a home grown certificate? If it is the latter it needs to be the former.

The three most common reasons for this feature to fail are
- SSL certificate trust issues
- Authentication mismatch (basic on the virtual directory, NTLM in Outlook or Integrated on the virtual directory and basic in Outlook)
- Registry settings.

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24166630
Raqhuv:  I am prompted for credentials, i type them in, and blank page yes.

Mestha:  I have basic and integrated set on both of the virtual directory's as the articles Raqhuv suggested.  I have been through every one of those.  I setup a Certificate Authority on the server, and generated it myself.  I know several locations where they are not commercial and it works.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Author Comment

by:chrisryhal
ID: 24166640
The reason my registry looks the way it does, is because nearly all the tutorials instructed me too do it that way.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24166867
Mine wouldn't have done.
http://www.amset.info/exchange/rpc-http.asp
I also never recommend using a self generated certificate. While it can be made to work, it can take many hours. I can get this feature to work in less than 30 minutes, including the time to get the certificate.

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24166933
Ok, I think first thing is to get the SSL Cert from a trusted authority.  I'll do that first.  Looked at your article and its a LOT easier than the others.  Will be in touch
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24175835
Any chance you could confirm what ports need open for this to work through the firewall?
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24175913
Well I did as instructed and something still is not right.  I ran the test from the https://www.testexchangeconnectivity.com/ and here is the result.

Here is the registry keys I created:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
"ValidPorts"="sls-ce10p12:100-5000;
sls-ce10p12:6001-6002;
sls-ce10p12:6004;
sls-ce10p12.ryhal.com:6001-6002;
sls-ce10p12.ryhal.com:6004;
www.ryhal.com:6001-6002;
www.ryhal.com:6004;"
 Attempting to Resolve the host name www.ryhal.com in DNS.
 Host successfully Resolved
Additional Details
 IP(s) returned: 66.36.240.70
 
Testing TCP Port 443 on host www.ryhal.com to ensure it is listening/open.
 The port was opened successfully.
 
Testing SSLCertificate for validity.
 The certificate passed all validation requirements.
Additional Details
 Subject: CN=www.ryhal.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=GT92215490, O=www.ryhal.com, C=US, Issuer CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
 
Testing SSL mutual authentication with RPC Proxy server
 Successfully verified Mutual Authentication
Additional Details
 Certificate common name www.ryhal.com matches msstd:www.ryhal.com
 
Testing Http Authentication Methods for URL https://www.ryhal.com/rpc/rpcproxy.dll
 Http Authentication Methods are correct
Additional Details
 Found all expected authentication methods and no disallowed methods Methods Found: Negotiate NTLM 
 
Attempting to Ping RPC Proxy www.ryhal.com
 Pinged RPC Proxy successfully
Additional Details
 Completed with HTTP status 200 - OK
 
Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server sls-ce10p12.ryhal.com
 Failed to ping Endpoint
 Tell me more about this issue and how to resolve it
 
Additional Details
 RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime

Open in new window

0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24175922
Ports 6000-6004 are open as well
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24176054
You only need port 443. Any other ports that you have opened should be closed.

Is sls-ce10p12 your Exchange server? Its INTERNAL FQDN?

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24176070
See attached.  
Doc1.doc
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24176079
Doing an IPCONFIG /ALL it displays at sls-ce10p12

Pinging sls-ce10p12  resolves to sls-ce10p12.dca2.superb.net

I have tried modifying the register to reflect both with no luck
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24176097
I don't open .doc files on this site as they can hold a payload.

The entries that you have to put in to your registry is the server's real FQDN, as shown on the properties of My Computer.

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24176100
Thats what I sent, just a screenshot of the My Computer.  Its sls-ce10p12.dca2.superb.net

Tried that with no luck
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24179242
"superb.net" seems to be a major internet hosting company. Is that what your AD name is?

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24179747
Correct, Superb is a hosting company, but I own a dedicated server that I terminal services into.  Its my hardware so I am able to do whatever I want with it.  I just host it there because I needed the bandwidth for what I do.   That word contains a screenshot of the My Computer properties (I realize you stated you didn't to open it) so I made a link to it here so you could just see the .JPG file.

http://ryhal.com/Mycomputer.jpg

You don't realize HOW much I appreciate this.  If I can be of ANY development or DB assistance please feel free to let me know.  This RPC is something I have actually attempted in the past with no luck.  Just trying to prevent the need for VPN and I REALLY would like to work with Exchange versus the POP3 function.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24179801
Is the server part of an Active Directory domain?
When you configured the AD domain what did you configure as your internal DNS?

The settings are now confusing.
The usual state for a machine is host.example.com, where host is the server's name, example.com is the WINDOWS domain.

In your example, your WINDOWS domain and the server's FQDN are completely different. I don't know how RPC over HTTPS is going to react to that, if it can cope with it.

Is this machine also a domain controller?

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24180043
Domain Controller:  Yes
Exchange on this box:  Yes
AD Domain:  Ryhal.com

I did not specify the name of the machine but will request it to be changed.   It should be something like <computername>.ryhal.com versus the whole sls-ce10p12.dca2.superb.net then I assume?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 24183299
If the machine is a domain controller then don't try and change its name. That will break not only Exchange, but also the domain controller functionality. It should have been named correctly to begin with, and I am surprised that it didn't have its name changed when the AD was created.

The problem I have is that I don't know whether you are going to get RPC over HTTPS to work in that configuration. It is not something I have done before, and I am not sure on the exact registry changes required.

Simon.
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24183651
I just found out that the reaason for the "dca2.superb.net" was merely just a DNS suffix.  I removed the dns suffix, now I the name is sls-ce10p12.ryhal.com and always was, other than that suffix the host put on there.  I'm going to try again and let you know the result
0
 
LVL 2

Author Comment

by:chrisryhal
ID: 24242488
Ok, this is resolved.  Simon, thanks SOOOOOOOO much for ALL the feedback.  After taking your recommendations, etc, regarding the SSL cert, etc, finally got this going.  Thanks again!
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question