Solved

Need help to deploy RPC/HTTPS for exchange 2003 SP2 with 2 DC with GCs.

Posted on 2010-08-17
13
1,011 Views
Last Modified: 2012-05-10
Hi all


Iam trying toconfigure RPC over HTTPS
Here is my setup
2 domain controllers with GC (windows 2003 server SP2)
1 exchange server 2003 SP2 (windows 2003 server SP2)

I have installed RPC over HTTP component on my exchange server and enable RPC-HTTP backend topology.
IIS authentication is basic on both RPC and RPCwihCERT directories and SSL is enabled.I have vaild  certificate
from Local ROOT CA on DC1 with comman name (exchange netbios name of server).
while from outside Ihave a vaild certificate from GEOTRUST (CN= mail.domain.com) which is installed on my Squid proxy server all my https trafic is forwarded to my squid server from DMZ , so users from out side connect to squid server gets vaild
ssl certificate from geotrust and  squid redirect to exchange server on internal LAN ( squid DO NOT Verify local certificate
on exchange)  

Exchange vaild ports are
rpccfg  /hd

exchange     593 6001-6002 6004
excahnge netbios    593 6001-6002 6004
excahne(FQDN)       593 6001-6002 6004

all the defaut regisrty entries are correct on exchange server

do I need NSPI interface protocal sequences entry on my DC or not ?
since Iam Using exchage 2003 with SP2.

Here is my troubleshooting result.

telnet on excahange server with in LAN
on port 6001 it opens the port but with strange NO. appears 000395691638 and when you press enter connection to host is lost.
on port 6002 it opens the port with ncacn_http/1.0
on port 6004 it opens the port with ncacn_http/1.0

when I connect from outside with outlook  outlook established connection over https on directory but could not connect
on mail information storage and  in the result outlook shows disconneted.

I think the problem is some where in the regisrty or something Iam missing .


Can some one provide me the solution for this issue.

Best Regards.

Adil Syed

E-Mail    adil.syed@holborn.com.cy
0
Comment
Question by:expuser2008
  • 7
  • 5
13 Comments
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33471800
Please add the registry entry "NSPI interface protocol sequences".
And also please make sure that you have the above mentioned registry entry on both the GC's.

While configuring Outlook client, please select the options.
Enter the external link which we access OWA externally.
Select Basic Authentication and also select both the slow and fast network options in the Exchange proxy settings.

Please check the above mentioned settings and please do revert back if you have any issues.
0
 

Author Comment

by:expuser2008
ID: 33472360
As you mention I added on both GC's "NSPI interface protocol sequences".
the outlook is configure as you mention . And I have the same result
Telnet on exchange server 6001   gives me this ¿¿  000786010947
Telnet on exchange server 6002   gives me ncacn_http/1.0
Telnet on exchange server 6004   gives me ncacn_http/1.0
That means I can not connect to information store with port 6001.
Please provide me more help for (vaild port ) entries on exchange for RPC.


0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33472373
Please have the valid entries as mentioned below:-

Exchangenetbios:6001-6002;exchangefqdn(.i.e hostname.domain.local):6001-6002;Exchangenetbios:6004;exchangefqdn(.i.e hostname.domain.local):6004;

Please try this, and we dont require 593 as it is used only when we have SBS server in the environment.
Please enter the exact entries as mentioned above and make sure you have semi colon, at the end of the entries.

Try this and revert back!
0
 

Author Comment

by:expuser2008
ID: 33472630
Sorry for delay
And Thanks for your quick response. I tried the above registry entries.
If I put at the end semi colon it gives me syntex error
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Windows Resource Kits\Tools>rpccfg /hd
Error: Expected ':' in string ''.
The command did not complete successfully.

C:\Program Files\Windows Resource Kits\Tools>

without the semi colon  I got the entries.

But still the same problem. I can not telnet to 6001 port.

Waiting for your response .
Regards.
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33472834
Please try testexchangeconnectivity.com  connectivity of RPC over HTTPs and paste the error message here.. so that we get more detail information about the issue.
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33472840
And sorry its not this colon ":" its this ";".
And also please run netstat-ano to check port 6001 which PID is using the port 6001.
Please try that and revert back with the status.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33472900
Probably it seems that port 6001 is listening to some other service instead of store.exe.
Please run netstat-ano and check the port 6001 on which server it is listening tooo..

Try that and revert back if you have any issues.
0
 

Author Comment

by:expuser2008
ID: 33473978
below is the conectivity test result from external PC

ExRCA is testing RPC/HTTP connectivity.
 The RPC/HTTP test failed.
 Test Steps
 Attempting to resolve the host name mail.holborn.com.cy in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: 212.31.109.14

Testing TCP Port 443 on host mail.holborn.com.cy to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 The certificate name is being validated.
 Successfully validated the certificate name
 Additional Details
 Found hostname mail.holborn.com.cy in Certificate Subject Common name

Certificate trust is being validated.
 The test passed with some warnings encountered. Please expand the additional details.
 Additional Details
 Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.

The certificate date is being confirmed to ensure the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 Certificate is valid: NotBefore = 8/8/2010 3:23:12 AM, NotAfter = 9/9/2010 7:18:05 AM"



The IIS configuration is being checked for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates not configured.

Testing Http Authentication Methods for URL https://mail.holborn.com.cy/rpc/rpcproxy.dll
 The HTTP authentication methods are correct.
 Additional Details
 Found all expected authentication methods and no disallowed methods. Methods Found: Basic

SSL mutual authentication with the RPC proxy server is being tested.
 Mutual authentication was verified successfully.
 Additional Details
 Certificate common name mail.holborn.com.cy matches msstd:mail.holborn.com.cy

Attempting to Ping RPC Proxy mail.holborn.com.cy
 RPC Proxy was pinged successfully.
 Additional Details
 Completed with HTTP status 200 - OK

Attempting to ping RPC Endpoint 6001 (Exchange Information Store) on server hemexch1.holborncy.local
 The attempt to ping the endpoint failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime


below is the netstat -a -o result
Proto  Local Address          Foreign Address        State           PID
TCP    exchange:6001          exchange.domain.local:0  LISTENING       2068
TCP    exchange:6002          exchange.domain.local:0  LISTENING       2980
TCP    exchange:6004          exchange.domain.local:0  LISTENING       2980


exchange:6001          mail.domain.com:2290  CLOSE_WAIT      2068
exchange:6001           mail.domain.com:2292  CLOSE_WAIT      2068
exchange:6001           mail.domain.com:2306  CLOSE_WAIT      2068
exchange:6001           mail.domain.com:2324  CLOSE_WAIT      2068
exchange:6001           mail.domain.com:2331  CLOSE_WAIT      2068
exchange:6001           mail.domain.com:2347  CLOSE_WAIT      2068

Regards.
Adil







0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33481875
Did you checked which process is utilizing the port 6001
exchange:6001          exchange.domain.local:0  LISTENING       2068

Please check 2068 in the task manager add the coloumn PID and check which service is utilizing the process, might be 6001 is used by some other process.

Please try that and revert back!

Thanks!
0
 

Author Comment

by:expuser2008
ID: 33482801
yes you are right the 6001 port was listing on 2068 PID which was using some other client application
other than store.exe , I removed that client application and now store.exe is listining on 6001 port.
And the problem is solved. But later I will try again and install that client application
and see If it utilize the other port than 6001.
Thank You very much for your help to solve me this issue.
Please if you can continue help me , since I would like to have Active sync setup as well on my
exchange, I have active sync enable on my exchange as well.
but when I try to connect https://exchangeserver/oma after login it gives me this error
(A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator) .
I read from microsoft KB/817379 artical  that I have to create seprate virtual directory for OMA and
Active sync.

Please can you provide me right steps from the begining to setup ssl  active sync on exchange 2003
with SP2.

Regards.
Adil
0
 
LVL 9

Accepted Solution

by:
v_9mhdrf earned 500 total points
ID: 33490953
Here is the details about setting up ActiveSync on Exchange 2003 server.
Exchange OMA is a dead technology after Exchange 2003 SP2 so we got ActiveSync in place so go for it brother...
And here is the guide for you!!!

Pre-Requisites:

Firstly, you need to make sure that you have Exchange Server 2003 Service Pack 2 Installed.  To check if you have it installed, open up Exchange System Manager - Start, Programs, Microsoft Exchange, System Manager.  Then expand Servers, Right-Click your server and choose Properties.  This will display whether you have SP2 installed or not.  If you do not have SP2 installed you can download it here – http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

You also need to ensure that TCP Port 443 is open and forwarded on your firewall to your Exchange server.  You don't need to open up any other ports to get Activesync working, just TCP port 443.

Please check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).

Please check and mirror the settings below (Open up IIS, expand the default website then expand the relevant Virtual Directory, right-click on the Virtual Directory and choose properties, then click on the Directory Security Tab):

Exchange 2003 (Not part of Small Business Server):

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany (no more than 15 characters)
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany (no more than 15 characters)
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked


Exchange 2003 (Part of Small Business Server):

Exchange Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NetBIOS domain name - e.g., yourcompany
•      Realm = yourcompany.com
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchange-oma Virtual Directory
•      Authentication = Integrated & Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany
•      Realm = NETBIOS name
•      IP Address Restrictions = Restricted to IP Address of Server
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

OMA Virtual Directory
•      Authentication = Basic
•      Default Domain = NETBIOS domain name - e.g., yourcompany
•      Realm = NETBIOS name
•      IP Address Restrictions = Granted Access
•      Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

ASP.NET should be set to version 1.1 for all virtual directories listed above.  If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.

No other virtual directories are involved when using Activesync - despite having seen other postings suggesting that there are.

Also, make sure that you have HTTP Keep-Alives enabled - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d7e13ea5-4350-497e-ba34-b25c0e9efd68.mspx?mfr=true

Please also check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button.  This Virtual Directory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA).

IPV6
Please make sure that IPV6 is NOT installed on your server as this is known to break Activesync.

For Small Business Server 2003 Users - please check this MS article - http://support.microsoft.com/kb/937635

Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync - for example, mail.microsoft.com. If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.

Activesync is much easier to get working with a purchased SSL certificate (installed on the default website but you can generate your own and still make it work).  GoDaddy seem to be offering the cheapest SSL certificates (at the time of writing this article).

Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS, Right-Click the Default Website).  If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync!

If you make any changes to IIS, you will need to reset IIS settings.  Please click on Start, Run and type IISRESET then press enter.

Windows Mobile Phone / iPhone Settings:
Email Address: Your Users Email Address
Server: Whatever name you have on your certificate e.g., mail.yourdomain.com (do not add /exchange or /oma or /anything)
Domain: Your internal Domain Name e.g., yourdomain (maximum 15 characters)
Username: Your Username e.g., User123
Password: No Clues
Description: Whatever you want to call the Account

Testing:

If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity.

Please select ‘Specify Manual Server Settings’ (Exchange 2003 does not have native Autodiscover enabled so using the Autodiscover settings will fail).

3rd Party SSL Certificate:

Do not check the “Ignore Trust for SSL” check box

Self-Certified SSL Certificate:

Check the "Ignore Trust for SSL" checkbox.

If you are trying to make an iPhone work, then you can also download the free iPhone App 'Activesync Tester' and this should identify any problems with your configuration, or download the version for your PC from https://store.accessmylan.com/main/diagnostic-tools

Various Activesync Errors / Solutions:

If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com

Activesync Error 0x86000108:
Activesync is unsuccessful and you see the error 0x86000108 on your Windows Mobile Device:
Please read the following MS Article which checks that Authenticated Users has write permissions to the %TEMP% directory (usually c:\windows\temp) – http://support.microsoft.com/kb/950796/en-us

Application Event Log 3005 Errors:
A lot of 3005 errors can be resolved by changing the Default Website Timeout value from 120 (default) to something greater, such as 480 using IIS Manager.

Inconsistent Sync:
If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
ProactiveScanning      REG_DWORD      1

HTTP 401 Error:
If you are getting an HTTP 401 error when testing on https://testexchangeconnectivity.com then you are probably entering an incorrect username or password, or you may have IP Address restrictions setup on your virtual directories (see IIS Settings above under prerequisites).

HTTP 403 Error:
Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab).  If it is -- read http://support.microsoft.com/kb/817379

I have had Activesync work despite seeing "An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: <body><h2>HTTP/1.1 403 Forbidden</h2></body>" at the end of the test above.  To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.

I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)

Check to see if Activesync is enabled globally on your server - http://technet.microsoft.com/en-us/library/bb125073(EXCHG.65).aspx
Also check to see if it is enabled on a user by user basis - http://technet.microsoft.com/en-us/library/aa997489(EXCHG.65).aspx


HTTP 500 Error:
If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in Microsoft Knowledgebase Article KB883380 (http://support.microsoft.com/kb/883380) and this should resolve the issues. This essentially deletes the Exchange Virtual Directories from the IIS Metabase (which can be corrupted) and rebuilds them. When deleting the Exchange virtual Directories, please also delete the Exchange-OMA virtual directory if it exists.  Rebuilding those virtual directories often clears up problems that all the other steps above do not resolve.

If, after following KB 883380, Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:

• Disable Forms Based Authentication - Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected - hopefully this should work or give the OK result
• If okay - right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as 'EntireRegistry' and save the backup of the registry to the desktop
• In regedit - locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the 'Select a configuration to import' section and click on OK. Select 'Create a new virtual Directory' and name the directory 'exchange-oma' and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse - you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync - should hopefully be working now

If the above fails, please check you event logs for Event ID 9667 - Source MSExchangeIS.  If this event exists, please have a read of MS KB820379 - http://support.microsoft.com/default.aspx?kbid=820379

Hopefully if you are now at the bottom of my article, your mobile phones should now be synchronising happily.  If that is not the case, please review your IIS Settings carefully and start at the top of this article again.

So, in summary, you have reviewed and checked the settings in IIS to ensure that Activesync will work on your Exchange 2003 server, you have made sure that you have Exchange 2003 Service Pack 2 installed and you have run a test to make sure that your server is responding happily and by now, your iPhones and Windows Mobile phones should be happily synchronising.

Having got this far - and hopefully fixing your problems

Thanks
0
 

Author Comment

by:expuser2008
ID: 33574096
Hi
Sorry  for late response because some other things came up. first of all thanks a lot for your help
your response was very quick  at all the time . I managed  to work activesync with your help.
you can close this question.

Best Regards.
Adil Syed
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33942383
Kindly Select one of the comment as Accepted solution to close the question.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now