RPC over HTTPS not working anymore (Credentials never get accepted)

Hey guys,

Im having issues with RPC over HTTPS...

Server side: Windows Server 2003 with Exchange Server 2007 (all on latest SPs)

Client side: Windows XP with Outlook 2007 (all on latest SPs)

When I test via: https://exchservername/rpc (internally) I get prompted for user credentials, but it never stops asking for creds and never lets me in.

Remote users used to get email this way, without having to use VPN. Now, they dont seem to be able to.

What can I check to get this working again?

The RPC over HTTPS settings are correct in the Outlook client. It seems that IF I set up outlook while internal, all the RPC settings get added to Outlook just fine, then a user can travel, and they CAN connect once prompted for their Basic Authentication creds. But now when trying to set up a remote user, not via VPN nor on the domain, they just get prompted over and over for their creds...
OdyChrisAsked:
Who is Participating?
 
MegaNuk3Connect With a Mentor Commented:
0
 
MegaNuk3Commented:
change the outlook authentication to NTLM
0
 
MegaNuk3Commented:
In the Mail dialog box, click your Outlook profile, and then click Properties.
Click E-mail Accounts, and then click Change.
In the Change E-mail Account dialog box, click More Settings.
In the Microsoft Exchange dialog box, click the Security tab.
In the Logon network security list, click Password Authentication (NTLM), and then click OK.
Click Next, click Finish, and then click Close two times
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
MegaNuk3Commented:
How long is the delay between each prompt for credentials? Is it instant?
0
 
OdyChrisAuthor Commented:
Ill try that asap, thanks...

Yes, the delay is instant.
0
 
BikkelbinkCommented:
The authentication on the website should be Basic.
Maybe the directory permissions have changed? Users should have read & execute permissions
0
 
OdyChrisAuthor Commented:
I think it has something to do with the autodiscover service possibly? Since Im failing on the testexchangeconnectivity.com website.

Attempting to test Autodiscover for user@domain.com
       Testing Autodiscover failed

Attempting each method of contacting the AutoDiscover Service
       Failed to contact the AutoDiscover service successfully by any method

Attempting to test potential AutoDiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
       Failed testing this potential AutoDiscover URL
             Test Steps
             Attempting to resolve the host name autodiscover.odysseylogistics.com in DNS.
       The Host could not be resolved.

:(

I dont know where or why this stopped working... laptop users who use outlook from the office then continue using it at home remotely, dont have this problem, wouldnt both cases use the same DNS and autodiscover?
0
 
MegaNuk3Commented:
try the Outlook anywhere test and then use manual server settings
0
 
MegaNuk3Commented:
Make sure you can hit OWA too from external with no certificate warnings or issues. if you cannot connect to OWA without certificate warnings/issues then RPC/HTTPs is not going to work at all for that machine
0
 
OdyChrisAuthor Commented:
OWA works fine externally, no certificate errors...
0
 
MegaNuk3Commented:
OK, good.

did you try the "outlook anywhere" test on testexchangeconnectivity.com with manual server settings?
0
 
OdyChrisAuthor Commented:
Outlook Anywhere (RPC over HTTP)  Test:

Testing RPC/HTTP connectivity
  RPC/HTTP test failed
   Test Steps
   Attempting to resolve the host name mail.domain.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: xxx.xxx.xxx.xxx  
 
 Testing TCP Port 443 on host mail.domain.com to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The certificate passed all validation requirements.
   Test Steps
   Validating certificate name
  Successfully validated the certificate name
   Additional Details
  Found hostname mail.domain.com in Certificate Subject Common name  
 
 Validating certificate trust
  Certificate is trusted and all certificates are present in chain
   Additional Details
  The Certificate chain has be validated up to a trusted root. Root = OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US  
 
 Testing certificate date to ensure validity
  Date Validation passed. The certificate is not expired.
   Additional Details
  Certificate is valid: NotBefore = 4/11/2008 12:00:00 AM, NotAfter = 4/11/2010 11:59:59 PM"  
 
 
 
 Testing Http Authentication Methods for URL https://mail.domain.com/rpc/rpcproxy.dll 
  Http Authentication Test failed
   Tell me more about this issue and how to resolve it
   Additional Details
  Did not find all required authentication methods
Methods Found: Basic
Methods Required: NTLM
 
 
0
 
OdyChrisAuthor Commented:
Same test with basic authentication checked:

Attempting to Ping RPC Proxy mail.domain.com
  Cannot ping RPC Proxy
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown  
 
0
 
OdyChrisAuthor Commented:
When going to

https://mail.domain.com/Autodiscover/Autodiscover.xml

I do get prompted for my password, then it instantly goes to "600 Invalid Request"
0
 
MegaNuk3Commented:
If you hit  https://mail.domain.com/rpc/rpcproxy.dll  from internal does it ask for credentials and then show you a blank page after accepting those credentials?
0
 
OdyChrisAuthor Commented:
Internally, https://mail.domain.com/rpc/rpcproxy.dll theres no page found in IE8.  

I just tried the following also;
[PS] C:\\>Test-OutlookWebServices -identity username | format-list

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address username@domain.com.

Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://mail.domain.com/autodiscover/autodiscover.xml.

Id      : 1016
Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://mail.domain.com/ews/exchange.asmx. The elapsed time was 140 milliseconds
          .

Id      : 1015
Type    : Success
Message : [EXCH]-Successfully contacted the OAB service at https://mail.domain.com/ews/exchange.asmx. The elapsed time was 0 milliseconds.

Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://mail.domain.com/unifiedmessaging/service.asmx. The elapsed time was 0 milliseconds.

Id      : 1017
Type    : Success
Message : [EXPR]-Successfully contacted the RPC/HTTP service at https://mail.domain.com/Rpc. The elapsed time was 0 milliseconds.

Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.

0
 
MegaNuk3Commented:
Apparently error "600 Invalid request" on the autodiscover.xml is normal and proves that it is working as it should be.
0
 
OdyChrisAuthor Commented:
Okay... I keep digging... :)

Looking at external DNS

Autodiscover doesnt have an A Record... (no autodiscover.domain.com)

This needs to be present right? and pointing at the same IP as mail.domain.com?

Could that be the issue?
0
 
MegaNuk3Commented:
As per this http://support.microsoft.com/kb/940881
Outlook will try https://yourmaildomain.com/Autodiscover/Autodiscover.xml and if that fails it will then try
https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml 

So adding a A record for Autodiscover in your domain should help and will probably make the "auto discover" test on testexchangeconnectivity.com work, but I don't think it will make RPC over HTTPs work.
0
 
MegaNuk3Commented:
I take it that you have autodiscover.yourmaildomain.com listed in the certificate?
0
 
OdyChrisAuthor Commented:
Youre exactly correct... it did fix that part, but RPC over HTTPS still wont work. :(

So back to square one?

I am not able to log in with NTLM either.  
0
 
MegaNuk3Commented:
By the way, by default the Authentication on the /RPC virtual directory is basic + integrated by default.

Try Get-OutlookAnywhere | fl  and you will probably see that it lists ExternalAuthenticationMethod as Basic
0
 
MegaNuk3Commented:
Also in Outlook 2007 have you tried setting the Exchange proxy authentication settings to Basic, not NTLM. Loads of people have issues with NTLM and Outlook Anywhere (RPC over HTTPs) not working, but Basic does. It's all encrypted over SSL, so don't worry.
0
 
MegaNuk3Commented:
In the Mail dialog box, click your Outlook profile, and then click Properties.
Click E-mail Accounts, and then click Change.
In the Change E-mail Account dialog box, click More Settings.
In the Microsoft Exchange dialog box, click the Connection tab.
Click Exchange proxy settings button
In the proxy authentication settings list, click Basic Authentication, and then click OK.OK
Click Next, click Finish, and then click Close two times
0
 
OdyChrisAuthor Commented:
I dont know if this is of any use, since I edit it for privacy... :(

[PS] C:\>Get-OutlookAnywhere | fl

ServerName                 : EXCHG
SSLOffloading              : False
ExternalHostname           : mail.domain.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://exchg.domain.com/W3SVC/1/ROOT/Rpc
Path                       : C:\WINDOWS\System32\RpcProxy
Server                     : EXCHG
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=EXCHG,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=MicrosoftExchange,CN=Services,CN=Configuration,DC=domain,DC=com
Identity                   : EXCHG\Rpc (Default Web Site)
Guid                       : 85619276-9246-4d01-b37f-177e3b6793f6
ObjectCategory             : domain.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                : 4/12/2008 5:43:47 PM
WhenCreated                : 4/8/2008 11:38:21 AM
OriginatingServer          : server.domain.com
IsValid                    : True

Ive made the change to BASIC Authentication in Outlook too: it is prompting for credentials, yet they just wont take. Ive reset the user password to make sure.

Also, it reverts back to the window where you have to enter the servername and mailbox name, with the check name button to search for the mailbox. Which it never resolves the mailbox.

Then:
Microsoft Office Outlook
The action can not be completed. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
0
 
MegaNuk3Commented:
Try configuring one without cached mode on and with basic

when it prompts is it a two box prompt (username and password) or a 3 box prompt (domain, username and password)

If it is a 2 box prompt are you entering the username as DOMAIN\username? if not try it. If so, try the UPN instead like me@mydomain.com (the "User logon name" from the ADUC Account tab)
0
 
OdyChrisAuthor Commented:
okay, turned off cached mode... and set it to basic authentication...

Prompts once for username/password: using DOMAIN\username and password...

Result:

Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
0
 
OdyChrisAuthor Commented:
Same message when using username@domain.com with network password.
0
 
OdyChrisAuthor Commented:
sorry, and it is a two box prompt.
0
 
MegaNuk3Commented:
Have you done any testing with RPCPing?
0
 
OdyChrisAuthor Commented:
Negative.
0
 
MegaNuk3Commented:
So let me get this right. If you setup a client on the LAN it works (with autodiscover and manual settings)
you then take that client onto the internet and it continues to work.

If you try and setup a client from the internet using autodiscover or manual server settings it doesn't work?
0
 
OdyChrisAuthor Commented:
Yes, thats correct...

What gets me is that users that have had it set up inside the office, they can connect via the Internet, I guess that shows that the firewalls not blocking the ports...

Its basically setting up users for the first time from the Internet thats the issue. Also, its getting to the point where its prompting for credentials...

0
 
MegaNuk3Commented:
Hmmm, have a look in the IIS logs for your IP address and see what it is logging vs. one that is working.
0
 
MegaNuk3Commented:
Another thing for you to try is when you enter your username do:
internal domain FQDN\username

so if your internal domain is BOYTOYS (Netbios) and boytoys.local (FQDN) then do:
boytoys.local\username  and NOT boytoys\username

I will be interested to see if any of the above work because it beats looking at the IIS logs...
0
 
MegaNuk3Commented:
I just tried logging on as boystoys.local\username from an Outlook 2007 RPC/HTTPs client and it works.
0
 
OdyChrisAuthor Commented:
Hey, I ran that fix on the computer, and its working!!!!!
0
 
OdyChrisAuthor Commented:
Applied that fix you sent me, then when prompted, username@domain.com, and viola!

So to recap... Running Outlook 2007, Basic Authentication, Cached Mode on...

Ill just need to log onto another external users computer and double check he can get it going now also...

WOW... Dont know how or what fixed it... was it this fix, or the addition of the public A record created yesterday or a combination.
0
 
MegaNuk3Commented:
which fix? DefConnectOps (Q913843)?

just to confirm, you did username@domain.com and not domain.com\username?
0
 
OdyChrisAuthor Commented:
I ran the fix you mentioned:

http://support.microsoft.com/kb/913843/en-us

and I did username@domain.com
0
 
MegaNuk3Commented:
OK, thanks.

Fingers crossed for the rest of your Outlook 2007 machines and then hopefully I will get some points ;-)
0
 
OdyChrisAuthor Commented:
Oh you'll get them...
0
 
OdyChrisAuthor Commented:
I think this was a combination or external autodiscover.domain.com, switching to basic authentication, making sure I was in Cached mode, and running the MS fix mentioned.

Thanks for staying with me on this one MegaNuk3. Awesome work!
0
 
MegaNuk3Commented:
Thanks for the points, glad we got there in the end...
0
All Courses

From novice to tech pro — start learning today.