gelmcp
asked on
RPC over HTTP will not work
Just installed Exchange 2003 and applied SP2 on a Windows 2003 Standard server. (Single server setup) I have set this up at least 4 times before and had it work. Got an SSL cert from StartSSL and applied. Can visit OWA over HTTPS without any cert errors, but Outlook just will not work.
To avoid the easy questions, this is what I have done:
Add/Remove Programs - Windows Components - Added RPC over HTTP support
Exchange System Manager - Server properties - RPC-HTTP tab - turned on RPC-HTTP backend server
Requested a cert for my external FQDN (server.mycompany.com) and applied to RPC virtual directory (require SSL and 128bit ecrypt)
Removed anonymous access for RPC virt dir and enabled Basic Auth
Made sure server was a Global Catalog server
used RPCnoBackend tool to set registry port settings and verified manually that everything is correct.
Reboot server
Setup clients to use RPC over httpS, server.mydomain.com, basic auth
Won't Connect!!! Please help, been troubleshooting for a week now!
OutlookRPCerror1.JPG
OutlookRPCerror2.JPG
To avoid the easy questions, this is what I have done:
Add/Remove Programs - Windows Components - Added RPC over HTTP support
Exchange System Manager - Server properties - RPC-HTTP tab - turned on RPC-HTTP backend server
Requested a cert for my external FQDN (server.mycompany.com) and applied to RPC virtual directory (require SSL and 128bit ecrypt)
Removed anonymous access for RPC virt dir and enabled Basic Auth
Made sure server was a Global Catalog server
used RPCnoBackend tool to set registry port settings and verified manually that everything is correct.
Reboot server
Setup clients to use RPC over httpS, server.mydomain.com, basic auth
Won't Connect!!! Please help, been troubleshooting for a week now!
OutlookRPCerror1.JPG
OutlookRPCerror2.JPG
ASKER
Thanks for quick respnse Ashinpixel.
Used outlook.exe /rpcdiag to test internally. Reverts to TCP/IP for the connection instead of using HTTPS. Read Petri's suggestion (http://www.petri.co.il/testing_rpc_over_http_connection.htm) about how to force to use HTTPS by TCP/IP filtering, But I am Remote Desktoping to the server and sounded like that might kick me out!
Ports are allowed through because OWA works fine over HTTPS.
Used outlook.exe /rpcdiag to test internally. Reverts to TCP/IP for the connection instead of using HTTPS. Read Petri's suggestion (http://www.petri.co.il/testing_rpc_over_http_connection.htm) about how to force to use HTTPS by TCP/IP filtering, But I am Remote Desktoping to the server and sounded like that might kick me out!
Ports are allowed through because OWA works fine over HTTPS.
ASKER
OK, found a registry key that would disable the "RPC TCP FallBack" so that Outlook would only try to connect with HTTPS. (HKCU\Software\Microsoft\O ffice\11.0 \Outlook\R PC - DWORD =DisableRpcTcpFallback, Value = 1)
Once I entered this key (on internal PC) I get the same "Your Microsoft Exchange Server is unavailable." error.
Once I entered this key (on internal PC) I get the same "Your Microsoft Exchange Server is unavailable." error.
Have you tried running the tests at https://testexchangeconnectivity.com?
ASKER
Excellent tool, I did not know that existed. However, isn't leading me to a fix yet. It fails on the SSL cert, the hyperlink on how to fix is no help. But the additional details don't look like they mention anything about the cert.(?)
Attempting to Resolve the host name server.companyname.com in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: 24.123.xxx.xxx
Testing TCP Port 443 on host server.companyname.com to ensure it is listening/open.
The port was opened successfully.
Testing SSL Certificate for validity.
The SSL Certificate failed one or more certificate validation checks.
Tell me more about this issue and how to resolve it http://technet.microsoft.c om/en-us/l ibrary/dd4 39386.aspx
Additional Details
A network error occurred while communicating with remote host:
Exception Details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack Trace:
at System.Net.Security.SslSta te.StartRe adFrame(By te[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslSta te.StartRe ceiveBlob( Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslSta te.CheckCo mpletionBe foreNextRe ceive(Prot ocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslSta te.StartSe ndBlob(Byt e[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslSta te.ForceAu thenticati on(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslSta te.Process Authentica tion(LazyA syncResult lazyResult)
at System.Net.Security.SslStr eam.Authen ticateAsCl ient(Strin g targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation )
at System.Net.Security.SslStr eam.Authen ticateAsCl ient(Strin g targetHost)
at Microsoft.Exchange.Tools.E xRca.Tests .SSLCertif icateTest. PerformTes tReally()
Attempting to Resolve the host name server.companyname.com in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: 24.123.xxx.xxx
Testing TCP Port 443 on host server.companyname.com to ensure it is listening/open.
The port was opened successfully.
Testing SSL Certificate for validity.
The SSL Certificate failed one or more certificate validation checks.
Tell me more about this issue and how to resolve it http://technet.microsoft.c
Additional Details
A network error occurred while communicating with remote host:
Exception Details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack Trace:
at System.Net.Security.SslSta
at System.Net.Security.SslSta
at System.Net.Security.SslSta
at System.Net.Security.SslSta
at System.Net.Security.SslSta
at System.Net.Security.SslSta
at System.Net.Security.SslStr
at System.Net.Security.SslStr
at Microsoft.Exchange.Tools.E
Which of your exchange-related virtual directories are set to require SSL?
ASKER
only /Exchange and /Rpc
Can you double check the steps on this page to verify your directories are configured properly? http://blogs.techrepublic.com.com/networking/?p=292&tag=rbxccnbtr1
ASKER
OK, ignore my results from the online test. I had the site stopped at the time of the test. The only think it doesn't like now is that my cert doesn't go back to a Trusted Authority. I am using StartSSL and have added the root CAs on the server and client.
Double checked my /Rpc directory settings. all good. Attached pics.
ExchAuthSettings.JPG
ExchSSLSettings.JPG
Double checked my /Rpc directory settings. all good. Attached pics.
ExchAuthSettings.JPG
ExchSSLSettings.JPG
ok, that all looks good. What are your testexchangeconnectivity.c om results now that you've gotten the services running?
ASKER
Testing SSL Certificate for validity.
The SSL Certificate failed one or more certificate validation checks.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname server.companyname.com in Certificate Subject Common name
Validating certificate trust
Certificate trust validation failed
Tell me more about this issue and how to resolve it
Additional Details
The certificate chain did not end in a trusted root. Root = CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
The SSL Certificate failed one or more certificate validation checks.
Test Steps
Validating certificate name
Successfully validated the certificate name
Additional Details
Found hostname server.companyname.com in Certificate Subject Common name
Validating certificate trust
Certificate trust validation failed
Tell me more about this issue and how to resolve it
Additional Details
The certificate chain did not end in a trusted root. Root = CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
ASKER
The other two steps worked fine:
Test Steps
Attempting to Resolve the host name server.companyname.com in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: xxx.xxx.xxx.xxx
Testing TCP Port 443 on host server.comapnyname.com to ensure it is listening/open.
The port was opened successfully.
Test Steps
Attempting to Resolve the host name server.companyname.com in DNS.
Host successfully Resolved
Additional Details
IP(s) returned: xxx.xxx.xxx.xxx
Testing TCP Port 443 on host server.comapnyname.com to ensure it is listening/open.
The port was opened successfully.
I'm not familiar with certs from the particular company you purchased from, but I know for GoDaddy at least, when you purchase a cert from them they send you two files--the cert file itself, and an intermediate certificate file. They say in the instructions to install the intermediate certificate file into the "intermediate certificate authorities" store on the server running Exchange prior to install the cert into IIS.
Did you install your certs in the proper order?
Did you install your certs in the proper order?
ASKER
Don't recall which one I did first. If I didn't do them in the right order, how do I correct?
probably remove the one that's in IIS, reinstall the intermediate, then reinstall the IIS one.
ASKER
OK, removed the cert from the website, re-imported the root CA cert to Trusted Root Certification Authorities, then re-applied the cert to the website. Still no luck!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you try that testexchangeconnectivity.c om site again? This time though, check the box that says "ignore trust for SSL". Then report back the results.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@esmith69 - I see that option in the ActiveSync test, but the RPCoverHTTP test does not have it.
@demazter - I am going thru Petri's guide right now, step by step...
@demazter - I am going thru Petri's guide right now, step by step...
ASKER
Went through all the setup steps (I've done this at least 10 times now) everything is as it should be.
Using RPCping utility get:
RPCPinging proxy server server.mycompany.com with Echo Request Packet
Sending ping to server
Response from server received: 401
Client is not authorized to ping RPC proxy
Ping failed.
Theories
.NET 2.0 was already installed when I installed Exchange. I've had it keep things from working in SBS. Might try to uninstall Exchange, uninstall 2.0, then reinstall Exchange.(?)
Also went straight from no SP, straight to SP2, should I have installed SP1, then SP2?
Using RPCping utility get:
RPCPinging proxy server server.mycompany.com with Echo Request Packet
Sending ping to server
Response from server received: 401
Client is not authorized to ping RPC proxy
Ping failed.
Theories
.NET 2.0 was already installed when I installed Exchange. I've had it keep things from working in SBS. Might try to uninstall Exchange, uninstall 2.0, then reinstall Exchange.(?)
Also went straight from no SP, straight to SP2, should I have installed SP1, then SP2?
Pretty sure SP2 can be installed without first installing SP1. I still think your issue may be related to certificates, but am not sure what else to suggest to resolve that since I know you said you already tried removing the cert completely from IIS and then reinstalling in the correct order.
ASKER
It's working! Unfortunately I did a couple of things in between tests so I am not exactly sure what fixed it. 1. I unchecked the RPC-HTTP Backend Server check box in Exchange System Manager, clicked Apply, then rechecked and hit apply. 2. I was experimenting with not using SSL and had created an AllowAnonymous reg key and set to one. When it didn't work I set to 0, which supposedly would disable it. I decided to delete the key entirely.
Excellent well done!
Must have been the petri link :-)
Must have been the petri link :-)
Glad to hear you've made some progress. You may want to recycle the Exchange-related services if possible (or at least the system attendant and IIS) to make sure the changes stick.
External firewall ports allowed through?