Solved

Problems getting RPC over HTTP to connect

Posted on 2010-08-26
58
1,816 Views
Last Modified: 2012-08-14
I am working with Exchange, trying to configure RPC over HTTP(s).

I have RPC over HTTP installed on Windows Server 2008 SBS.

I am currently getting this response from www.testexchangeconnectivity.com when trying to test Outlook Anywhere:

Attempting to Ping RPC Proxy remote.ourdomain.com
  RPC Proxy can't be pinged.
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown

We have a Godaddy UCC certificate installed and enabled for IIS and Exchange 2007.

I also have the firewall temporary disabled for troubleshooting purposes.

Where do you think I should start.
 
0
Comment
Question by:PC-Gear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 29
  • 27
  • +1
58 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33538860
PC-Gear, you posted this question again ?
0
 

Author Comment

by:PC-Gear
ID: 33538871
Yes.  
It was not being handled, and the "Request Attention" button is disabled so I couldn't ask for more help!
0
 

Author Comment

by:PC-Gear
ID: 33538879
I thought you had given up on me :~(

Here are our Outlook "Anywhere" settings:

[PS] C:\Windows\System32>get-outlookanywhere

ServerName                 : ACCO-SS
SSLOffloading              : False
ExternalHostname           : acco-ss.acco.local
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://ACCO-SS.acco.local/W3SVC/3/ROOT/Rpc
Path                       : C:\Windows\System32\RpcProxy
Server                     : ACCO-SS
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (SBS Web Applications)
DistinguishedName          : CN=Rpc (SBS Web Applications),CN=HTTP,CN=Protocols
                             ,CN=ACCO-SS,CN=Servers,CN=Exchange Administrative
                             Group (FYDIBOHF23SPDLT),CN=Administrative Groups,C
                             N=First Organization,CN=Microsoft Exchange,CN=Serv
                             ices,CN=Configuration,DC=acco,DC=local
Identity                   : ACCO-SS\Rpc (SBS Web Applications)
Guid                       : b7387bf4-1256-42fb-8468-39049632d3ad
ObjectCategory             : acco.local/Configuration/Schema/ms-Exch-Rpc-Http-V
                             irtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                             Directory}
WhenChanged                : 8/24/2010 12:08:38 AM
WhenCreated                : 8/24/2010 12:08:38 AM
OriginatingServer          : ACCO-SS.acco.local
IsValid                    : True
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33538880
That means its already being processed @ someone is working on it / will work on it and report back. mods are a stressed out lot :(
0
 

Author Comment

by:PC-Gear
ID: 33538892
Gotcha.

Thanks!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33538893
Can you go here
https://www.testexchangeconnectivity.com/

Test for Outlook Anywhere
Post back the results here.

thanks
0
 
LVL 2

Expert Comment

by:j-holtz
ID: 33538905
Make sure your DNS for you domain ourdomain.com include an entry for remote.ourdomain.com that points to your server.

Use http://www.mxtoolbox.com/ and do a lookup for a:remote.ourdomain.com

If it does not point to your server's ip address, you will need to update your DNS records to include the remote subdomain.

depending on how your server is setup you may not need the remote. subdomain. You can use the exchange certificate wizard to check which subdomains are needed for the services you run:

http://technet.microsoft.com/en-us/library/dd351057.aspx

The following won't fix the ping problem but you need to make sure your UCC certificate contains all the required subdomains used by exchange and iis. You can use the results from the exchange certificate request wizard to check which subdomains needs to be included in the UCC
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33538906
Can you check this guide and configure RPC/HTTPS as per the article.
http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/

a) From Exchange shell
Enable-OutlookAnywhere -Server ACCO-SS.acco.local -SSLOffloading:$false -ExternalHostname mail.domain.com -ClientAuthenticationMethod basic -IISAuthenticationMethods basic
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33538911
(pressed submit before I could finish)

Then follow Step-2 and the registry entry.
configure outlook as per the screenshots.

Test it after that @ if it works
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33538916
what time zone are you in ?
i am on EST - its about 12:30 AM here..
0
 

Author Comment

by:PC-Gear
ID: 33538928
We're EST too.

Look at my first post, it has the results for testexchangeconnectivity.com.

I'm going over all of your ideas here...
0
 

Author Comment

by:PC-Gear
ID: 33538982
The main subject in our UCC SSL is remote.domain.com, NOT mail.domain.com.

In our UCC Cert, we have remote.domain.com, acco-ss.acco.local, acco-ss, autodiscover.acco.local, and autodiscover.domain.com for its SANs.

Our FQDN is remote.domain.com which forwards to the server's I.P.

We can connect VIA OWA, etc...

The only thing NOT working is this dang Outlook Nowhere -- um, I mean "Anywhere".
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539001
I will check your ExRCA results from your previous post.
0
 

Author Comment

by:PC-Gear
ID: 33539013
Um...

I disabled Outlook Anywhere and then reenabled it again, and I found this error in the log:

The configuration application APPCMD.EXE failed with exit code 1346. Command parameters:
list config "SBS Web Applications/Rpc/" -Section:system.WebServer/ServerRuntime.

Does this mean anything to you?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539041
start > run
type inetmgr

Expand
Sites
SBS web applications
RPC

Right click > manage application > Advanced settings
See if Physical Path Credentials is EMPTY
If not - can you delete it.

Restart IIS

thanks
0
 

Author Comment

by:PC-Gear
ID: 33539047
Here are the full results for you to chew on:


 ExRCA is testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   Attempting to resolve the host name remote.domain.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 256.256.256.256 (obfuscated)
 
 Testing TCP Port 443 on host remote.domain.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   The certificate name is being validated.
  Successfully validated the certificate name
   Additional Details
  Found hostname remote.domain.com in Certificate Subject Common name
 
 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
   Additional Details
  The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
 
 The certificate date is being confirmed to ensure the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  Certificate is valid: NotBefore = 8/24/2010 9:29:56 PM, NotAfter = 8/24/2013 9:29:56 PM"
   
 The IIS configuration is being checked for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates not configured.
 
 Testing Http Authentication Methods for URL https://remote.domain.com/rpc/rpcproxy.dll 
  The HTTP authentication methods are correct.
   Additional Details
  Found all expected authentication methods and no disallowed methods. Methods Found: Basic
 
 SSL mutual authentication with the RPC proxy server is being tested.
  Mutual authentication was verified successfully.
   Additional Details
  Certificate common name remote.domain.com matches msstd:remote.domain.com
 
 Attempting to Ping RPC Proxy remote.domain.com
  RPC Proxy can't be pinged.
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
 
 I'm going to bed.

You probably should too :~)
 
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539048
Check my last post and let me know.

I may get the solution in my dream (if it wasnt the last post...)
0
 

Author Comment

by:PC-Gear
ID: 33539056
It's already blank -- it's set to application user.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539061
Logon type ?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539063
What about same thing for RPCwithCert ?
0
 

Author Comment

by:PC-Gear
ID: 33539072
It had a username in there that I had configured for troubleshooting.  I have removed it again and set it back to "Application User".
0
 

Author Comment

by:PC-Gear
ID: 33539079
RPC is set to "Basic" only.

However, RCPWithCert is set to nothing???

Might this be a problem?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539081
Restart IIS

www.testexchangeconnectivity.com

let me know the results.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539085
check against this.

rpc-cert.png
0
 

Author Comment

by:PC-Gear
ID: 33539086
Um...

Should I enable "Basic" on this one?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539087
Yes @ to basic.
0
 

Author Comment

by:PC-Gear
ID: 33539096
Yes, the picture is what I have.

I added "Basic" and restarted IIS.

No joy :~(
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539104
a) Open IIS
b) Click on Server name on left panel.
c) On the right panel click on worker processes.
d) Click on SBS Application pool (in app pool name)

See if anything is populated there
(Screenshots here)

http://blogs.technet.com/b/sbs/archive/2009/01/28/slow-connectivity-for-outlook-anywhere-and-sites-that-use-the-sbs-web-applications-app-pool.aspx
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539107
off to bed.
will wait for your last post and dream of a solution.

--
This being SBS - I am really really scared of reinstalling RPC/HTTPS or anything else here.
You really dont know what thread goes where in SBS :(
0
 

Author Comment

by:PC-Gear
ID: 33539113
Nothing.

Shouldn't RPCProxy.dll be in there?
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33539117
Hi,

Run SBS 2008 Best Practise Analyser tool and fix the errorsreported.

Also Run Exchange 2007 Best Practise Analyser Tool and fix the errors reported.

I suspect that the Exchange 2007 is not updated with the latest updates.

Hope this helps,
Shree
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539121
Nope - that lists out the current connections > meaning there are no current connections.

@shree's idea is not bad.
Did you run BPA
start > programs Best Practices.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539151
Off to bed
0
 

Author Comment

by:PC-Gear
ID: 33539164
I actually did that about 20 hours ago.

Me too.
0
 

Author Comment

by:PC-Gear
ID: 33541691
Well...

I ran the BPA health check.

The only errors that I received were "More than eight logical processors" warning even though affinity is only set to six CPUs.

Other than that, nothing.
0
 

Author Comment

by:PC-Gear
ID: 33543175
I have a question.

Under RPCWithCert virtual directory in IIS, is HTTPtoHTTPSRedir supposed to be listed under "Modules"?

I saw that it was listed under the RPC virtual directory, so I removed it, but it's not under RPCWithCert.
0
 

Author Comment

by:PC-Gear
ID: 33543275
This seems odd.  Take a look at this picture.

I can't see any connection being added here when I try to run the testexchangeconnectivity tester for Outlook Anywhre.

These same connections (listed in the picture) are the only ones I see.
IIS-Screenshot.jpg
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543332
This means your RPC is working.
Otherwise there will be an error there @ wait retry or something
0
 

Author Comment

by:PC-Gear
ID: 33543538
I thought that you could see new connection attempts here?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543569
Can you check state column / Does it say execute request handler ?

Otherwise it will display like this @ scroll down in the link to worker process and requests.

http://blogs.technet.com/b/sbs/archive/2009/01/28/slow-connectivity-for-outlook-anywhere-and-sites-that-use-the-sbs-web-applications-app-pool.aspx
0
 

Author Comment

by:PC-Gear
ID: 33543693
Yes, they all say "Execute Request Handler"

That's what I'm talking about, I can't see any "BeginRequest(s)".
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543704
Begin Requests @ are the requests which are not being served.

Execute request handler are the RPC/HTTPS requests which are being served, and allocated a IIS worker process - which translates to a process for w3wp.exe

can you test RPC/HTTPS now using outlook - not ExRCA
0
 

Author Comment

by:PC-Gear
ID: 33543708
Yes.

Stand by.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543713
sure.
0
 

Author Comment

by:PC-Gear
ID: 33544029
YES!!!

It's working from Outlook (but not from testmyexchangeconnectivity.com.

Maybe they need to do a Test-TestMyExchangeConnectivity.com website.

Uh oh...

Now I'm getting a (minor) SSL error when going into Outlook about Mail.domain.com -- the certificate having the wrong name: "The name of the security certificate is invalid or it does not match the name of the site."

In our certificate we have: remote.domain.com, autodiscover.acco.local, autodiscover.domain.com, acco-ss, and acco-ss.domain.local.

What do you think is telling it to look at mail.domain.com?

Oh great!  Now we can't access OWA from outside the network.

I just tried to restart IIS W3svc and it won't stop, I get errors about not being able to stop it and then not being able to start it.  Finally it says that it's running but from the outside I'm getting a "Forbidden: Access Denied" error message.

What do you think is going on here?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544140
a) get-autodiscovervirtualdirectory | fl externalurl

b) You are checking OWA with https://remote.domain.com/owa ?

c) change the proxy setting in MSSTD: to remote.domain.com - instead of mail.domain.com

I think wherever you have mail.domain.com > we need to change that to remote.domain.com

I think we are getting there :)
0
 

Author Comment

by:PC-Gear
ID: 33544202
A.) ExternalUrl : https://remote.domain.com/Autodiscover/Autodiscover.xml
B.) Yes
C.) How do I do this?

How do I find out where else their might be mail.domain.com?

And what about not being able to access remote.domain.com anymore to check e-mail remotely using OWA?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544241
c) Outlook RPC HTTPS configuration

In this picture
http://www.tacteam.net/isaserverorg/outlookrpchttp/Image2224.gif
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544258
Going out for lunch. be back in an hr.
0
 

Author Comment

by:PC-Gear
ID: 33544292
Gotcha.

I configured it for msstd:remote.domain.com

No effect.  I am still prompted if I want to proceed with using certificate with missing name.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544328
Close outlook
and then try again

use
outlook /rpcdiag
give me a screenshot of connections monitor

@seriously out for lunch now :)
0
 

Author Comment

by:PC-Gear
ID: 33544608
Enjoy your lunch?

I can't get the certificate error to come up again, so maybe it's OK.

The only thing is it can't access the OAB (can't download it, I get an object not found error message.)

Anyway, let's ignore this for now and get back to why do you suppose that we can't connect to the SBS Website using remote.domain.com anymore? (Access Denied).

I have tried to restart both the SBS Web Applications website and the IIS root.
Outlook-Connections-Screenshot.bmp
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
ID: 33545882
your RPC diag shows - its working.

About OAB

get-oabvirtualdirectory | fl

output the results here.

I will post back on remote.domain.com @ access denied error.
0
 

Author Comment

by:PC-Gear
ID: 33545885
Forget the other problem about not being able to access: remote.domain.com.

I removed the httptohttpsredir module, so I forgot that we have to access it by going to: remote.domain.com/remote.

The only problem that remains is the goofy certificate error.

It popped back up again about an hour later.

Thanks for all of your help sunnc7 -- you definitely earned those 500 points!!!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33545907
oops @ I thought you were going to remote.domain.com/remote and it wasnt working there...

Certificate error @ check if certificates are applied properly.
You can download this tool > export and re-import and apply the certs.
www.u-btech.com/products/certificate-manager-for-exchange-2007.html
0
 

Author Closing Comment

by:PC-Gear
ID: 33545934
Thanks again!

I'm not really sure which step fixed the original problem of not being able to connect VIA RPC/HTTP, since I was only testing the various stages using www.testexchangeconnectivity.com and not by trying it in Outlook... but I'm sure glad it's fixed.

0
 

Author Comment

by:PC-Gear
ID: 33545944
I will repost the certificate question to the proper forum (with more points)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33545955
I'd say the point @ which this started working http:#33543275

I am glad it worked out.
Thanks for the points. :)

Please post back in exchange queue if some other issues crop up.

thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question