Cannot get RPC-HTTP to work.

Hi,

I have setup RPC-HTTP with a self signed certificate.  I know this is not the best way as it is difficult to setup but I have got to do it this way.
I know my certificate is all right as I can use it with OWA and ISA is quite happy with it.
We are a really small company and getting money for certificates is not an option.

I have checked and rechecked my settings for RPC against a few different documents from this website and also on the web and it seems all my settings are correct.

I have spent a couple of weeks now trying to get this working on my own by researching and researching but have not found anything that really helps.

I have run ExBPA on my Exchange server and all is working fine, but am getting an error for active directory (added as an image below)
I have also added my RPCDUMP file to this question as well so you can see what's happening.

I can get through the ISA firewall and to the DC when connecting as RPC-HTTP and the DC redirects to the exchange server and asks for the password which is when it falls down.

I have tried a few tests that I found on the web to make sure RPC is setup correctly and apparently it is.

Please help??
rpcdump.txt
EXBPA.bmp
PurplePenguinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkhaterCommented:
You do not need to buy a 3rd party certificate, install your own internal Certificate Authority and use it, do not configure it using self-signed certificates it is simply not worth it.

On your internal DC install a CA and pick "enterprise root CA" that would be a good start

Are you running Exchange 2007 or 2010 ?
0
PurplePenguinAuthor Commented:
Right do I need to reinstall the CA on my server?? We have Exchange 2003.
0
AkhaterCommented:
you do not need to reinstall anything, you just need a CA on any computer joined to your AD domain, do you already have an internal CA?
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

PurplePenguinAuthor Commented:
I am in the process of setting the exchange server as a CA.  It is ok to have a CA on an exchange server isn't it.
0
AkhaterCommented:
yes you can have your CA running on exchange
make sure to install Enterprise root CA
0
PurplePenguinAuthor Commented:
Right the Enterprise Root CA is installed - what's next??
0
AkhaterCommented:
Great, you said you are using Exchange 2003 right ?

1. Open IIS Manager

2. Default Web Site

3.  right-click and select Properties.

4.  Click Directory Security tab

5.  Under Secure communications, click Server Certificate

6.  Select Create a new certificate

7. you should have an option to send directly to your CA

8. enter the URL of your will be using

9. 2048

10. complete the info paying attention to the common name

0
PurplePenguinAuthor Commented:
Right Ho!!!  I will do this and be back soon....................;-)
0
PurplePenguinAuthor Commented:
I have a slight issue, my exchange server will not speak to AD and I am thinking this is my problem.  
I started to go through the certificate steps and realised this is exactly how I did it before but my exchange server has stopped talking to AD and so cannot find any templates. Any ideas why??
0
AkhaterCommented:
what do mean by your exchange doesn't speak with AD?

exchange won't work if it can't communicate with AD
0
PurplePenguinAuthor Commented:
It's ok now, I got a weird  message that Mercutio (exchange server) couldn't communicate with AD.  Just tried it again and it is now working o.k. Sorry for the panic but I thought I had done something wrong. Be back soon.
0
PurplePenguinAuthor Commented:
Hi,

I can't get my certificate to show up for SSL Listener in ISA 2004. Any ideas??
0
AkhaterCommented:
sorry but the ISA is a completely different issue and should be opened in the ISA/TMG section
0
PurplePenguinAuthor Commented:
No problems have posted that part of issue with ISA. Thanks.
0
PurplePenguinAuthor Commented:
Got to the point now where outlook keeps trying to connect on RPC but then disconnects - any ideas
0
AkhaterCommented:
so the ISA problem is solved ? your certificated showed there ?
0
PurplePenguinAuthor Commented:
Yes I have.
0
AkhaterCommented:
please go to https://www.testexchangeconnectivity.com/ and run the rpc/http test and give back the results
0
PurplePenguinAuthor Commented:
Testing RPC/HTTP connectivity
 RPC/HTTP test failed
 Test Steps
 Attempting to resolve the host name home.inex.co.uk in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: 213.123.219.40

Testing TCP Port 443 on host home.inex.co.uk to ensure it is listening and open.
 The port was opened successfully.
Testing SSL Certificate for validity.
 The SSL Certificate failed one or more certificate validation checks.
 Test Steps
 Validating certificate name
 Successfully validated the certificate name
 Additional Details
 Found hostname home.inex.co.uk in Certificate Subject Alternative Name entry

Validating certificate trust
 Certificate trust validation failed
 Additional Details
 Certificate chain could not be built. You may be missing required intermediate certificates.
0
AkhaterCommented:
"Certificate chain could not be built. You may be missing required intermediate certificates."

are you sure you have installed all the intermediate Certificates on both ISA and ur exchange ?
0
PurplePenguinAuthor Commented:
I'm not sure what it means by that to be honest.  I installed a certificate on both exchange and isa!!
0
PurplePenguinAuthor Commented:
How many certificates should I have.
0
AkhaterCommented:
ok where did you get the certificate from ?
0
PurplePenguinAuthor Commented:
I created with my CA on the server.
0
AkhaterCommented:
ok so you have built your own CA server

Is it an enterprise root or standalone root ?
0
PurplePenguinAuthor Commented:
Enterprise root - I setup my exchange server as an enterprise root CA.
0
AkhaterCommented:
ok is your ISA server joined to your AD domain ?
0
PurplePenguinAuthor Commented:
Yes it is joined to the domain
0
AkhaterCommented:
your issue is that your certificate common name is Tempest it shld be the home.inex.co.uk
0
PurplePenguinAuthor Commented:
Sorry for the delay have been on holiday, I will try this and let you know if this works.

Thanks
0
AkhaterCommented:
ok update this thread if u need
0
PurplePenguinAuthor Commented:
Hi,

I have created a new certificate with my DC as the enterprise root CA with home.inex.co.uk and the subsidiary names also required and I am still getting Certificate chain could not be built. You may be missing required intermediate certificates.
I have installed the certificate into trusted and personal for local computer on the exchange server and also on ISA.
ISA 2004 however cannot see the new certificate even though it is installed in the correct areas - I have restarted the firewall service and this has not helped at all.  Is this the reason I am getting the above error. And why can't I choose it in the SSL listener. This RPC-HTTP is very annoying and confusing and I am getting to my wits end.
Cheers
0
AkhaterCommented:
ok let's try to sum up since i lost a bit track

1) You have built an enterprise root CA
2) Your ISA is joined to your domain
3) you have issued a certificate home.inex.co.uk from this CA

so far so good

Was this certificate installed in the local computer personal store on ISA and Exchange ? (I guess you said yes)

make sure it is NOT installed anywhere else in no other certificate store
0
PurplePenguinAuthor Commented:
Ah I did notice it was in the user personal store as well and I have to admit I didn't put it there.
I will take another look be back soon!!
0
PurplePenguinAuthor Commented:
Right the certificate is only in one place but have noticed that ISA cannot see the certificate and so cannot add it to the listener. I restarted the services but this has not helped so I need to reboot the server to see if that will help. Can't do that till later this afternoon as I have several people on VPN at the moment and they wouldn't thank me.
I will let you know what happens once I have been able to reboot the server.
0
AkhaterCommented:
You should NOT have to restart the server!

if you go to the personal computer store and you see the certificate, double click on it can you see the "you have the private key.." go to the last tab do you have "this scertificate is ok"

0
PurplePenguinAuthor Commented:
Yes I am getting the "this certificate is ok" but cannot see anything that says I have the private key, I guess that is part of the problem then.
0
AkhaterCommented:
if you are on the first Tab in the lower portion you should see "you have the private key for this certificate" if not then that's your error.

go to your exchange server personal computer store and export the certificate again make sure to export the private keys too

0
PurplePenguinAuthor Commented:
In fact it does not appear to want me to export the private key as it is only giving me the option not to export it.
0
PurplePenguinAuthor Commented:
please see image - why is this happening.  So close but no cigar
private-key.bmp
0
AkhaterCommented:
then when you created your certificate you didn't mark the private keys as exportable.

just generate another certificate to ISA with the same names
0
PurplePenguinAuthor Commented:
I have just gone to create another certificate and chose web server and it will not allow me to check the box for mark keys as exportable.
It's greyed out.
Arggggggggh!!!!!
0
AkhaterCommented:
no prob generate a new one just for exchange
0
PurplePenguinAuthor Commented:
Which template do I use??
0
AkhaterCommented:
i mean just for ISA
0
AkhaterCommented:
web template just the same you did before. just do it again from ISA

you are doing it from ISA server right ?
0
PurplePenguinAuthor Commented:
Can I do a certificate from the ISA server as CA is only installed on my exchange server/dc
0
PurplePenguinAuthor Commented:
IIS is not on the ISA server either.
0
AkhaterCommented:
from ISA server go to http://exchangeserver/certsrv and issue the webserver template request
0
PurplePenguinAuthor Commented:
will all the info be the same as on the one i did from exchange. Sorry to ask so many questions but I want to get this right.
0
AkhaterCommented:
yes put the same info you used for exchange
0
PurplePenguinAuthor Commented:
ok and that will not cock up the certificate that is on the exchange server. It will only add it to the ISA server.?
0
PurplePenguinAuthor Commented:
Right did that - got the new certificate on the ISA server and the listener can see it and it is selected.

When I just tested it keeps asking for my password and will not connect as it will not accept my password.

Any ideas.
0
AkhaterCommented:
lol we are still a long way to finish RPC/HTTP :) we have just done the certificate part so far


how many exchange servers do you have ?
0
PurplePenguinAuthor Commented:
Just the one at the moment. Will be two in the near future.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PurplePenguinAuthor Commented:
Right I have closely followed the instructions and I am getting the same info as on the document.
It says on there I need to reboot the server once RPC is configured and so I will do that at end of play today as the exchange server is also the DC.
I will let you know Monday if it is now working, unless there is anything else I need to do.
0
PurplePenguinAuthor Commented:
Hi,

Tested RPC this morning and it is still constantly asking for my password.

Any ideas why??
0
PurplePenguinAuthor Commented:
Hi,

Any ideas why I still cannot get this to work??

Cheers
0
AkhaterCommented:
did you follow the blog I gave you ?

go to https://www.testexchangeconnectivity.com/ and do the rpc test what is the errors
0
PurplePenguinAuthor Commented:
I followed the blog you sent me very carefully and double checked I had done all the right things.

I am still getting that it cannot complete the certificate chain and so I went on to the certsrv web on my server and downloaded the certificate chain and install that as well and still it does not work.
0
PurplePenguinAuthor Commented:
Closing question as I have now found out what the problem is.  The KDC certificate has become invalid and so the chain status is in error - not sure why this has happened but it appears to be the solution.  RPC is now working on Basic and the password errors have gone too.  All appears to be fine now. Thanks for all your help.
We have moved offices since I posted this and we have been able to rectify many issues we had the other office now we are in a better environment.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.