Solved

Problems getting RPC over HTTP to connect

Posted on 2010-08-26
58
1,784 Views
Last Modified: 2012-08-14
I am working with Exchange, trying to configure RPC over HTTP(s).

I have RPC over HTTP installed on Windows Server 2008 SBS.

I am currently getting this response from www.testexchangeconnectivity.com when trying to test Outlook Anywhere:

Attempting to Ping RPC Proxy remote.ourdomain.com
  RPC Proxy can't be pinged.
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown

We have a Godaddy UCC certificate installed and enabled for IIS and Exchange 2007.

I also have the firewall temporary disabled for troubleshooting purposes.

Where do you think I should start.
 
0
Comment
Question by:PC-Gear
  • 29
  • 27
  • +1
58 Comments
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
PC-Gear, you posted this question again ?
0
 

Author Comment

by:PC-Gear
Comment Utility
Yes.  
It was not being handled, and the "Request Attention" button is disabled so I couldn't ask for more help!
0
 

Author Comment

by:PC-Gear
Comment Utility
I thought you had given up on me :~(

Here are our Outlook "Anywhere" settings:

[PS] C:\Windows\System32>get-outlookanywhere

ServerName                 : ACCO-SS
SSLOffloading              : False
ExternalHostname           : acco-ss.acco.local
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://ACCO-SS.acco.local/W3SVC/3/ROOT/Rpc
Path                       : C:\Windows\System32\RpcProxy
Server                     : ACCO-SS
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (SBS Web Applications)
DistinguishedName          : CN=Rpc (SBS Web Applications),CN=HTTP,CN=Protocols
                             ,CN=ACCO-SS,CN=Servers,CN=Exchange Administrative
                             Group (FYDIBOHF23SPDLT),CN=Administrative Groups,C
                             N=First Organization,CN=Microsoft Exchange,CN=Serv
                             ices,CN=Configuration,DC=acco,DC=local
Identity                   : ACCO-SS\Rpc (SBS Web Applications)
Guid                       : b7387bf4-1256-42fb-8468-39049632d3ad
ObjectCategory             : acco.local/Configuration/Schema/ms-Exch-Rpc-Http-V
                             irtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                             Directory}
WhenChanged                : 8/24/2010 12:08:38 AM
WhenCreated                : 8/24/2010 12:08:38 AM
OriginatingServer          : ACCO-SS.acco.local
IsValid                    : True
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
That means its already being processed @ someone is working on it / will work on it and report back. mods are a stressed out lot :(
0
 

Author Comment

by:PC-Gear
Comment Utility
Gotcha.

Thanks!
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can you go here
https://www.testexchangeconnectivity.com/

Test for Outlook Anywhere
Post back the results here.

thanks
0
 
LVL 2

Expert Comment

by:j-holtz
Comment Utility
Make sure your DNS for you domain ourdomain.com include an entry for remote.ourdomain.com that points to your server.

Use http://www.mxtoolbox.com/ and do a lookup for a:remote.ourdomain.com

If it does not point to your server's ip address, you will need to update your DNS records to include the remote subdomain.

depending on how your server is setup you may not need the remote. subdomain. You can use the exchange certificate wizard to check which subdomains are needed for the services you run:

http://technet.microsoft.com/en-us/library/dd351057.aspx

The following won't fix the ping problem but you need to make sure your UCC certificate contains all the required subdomains used by exchange and iis. You can use the results from the exchange certificate request wizard to check which subdomains needs to be included in the UCC
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can you check this guide and configure RPC/HTTPS as per the article.
http://www.exchange-genie.com/2008/02/configuring-outlook-anywhere-for-exchange-2007-sp1/

a) From Exchange shell
Enable-OutlookAnywhere -Server ACCO-SS.acco.local -SSLOffloading:$false -ExternalHostname mail.domain.com -ClientAuthenticationMethod basic -IISAuthenticationMethods basic
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
(pressed submit before I could finish)

Then follow Step-2 and the registry entry.
configure outlook as per the screenshots.

Test it after that @ if it works
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
what time zone are you in ?
i am on EST - its about 12:30 AM here..
0
 

Author Comment

by:PC-Gear
Comment Utility
We're EST too.

Look at my first post, it has the results for testexchangeconnectivity.com.

I'm going over all of your ideas here...
0
 

Author Comment

by:PC-Gear
Comment Utility
The main subject in our UCC SSL is remote.domain.com, NOT mail.domain.com.

In our UCC Cert, we have remote.domain.com, acco-ss.acco.local, acco-ss, autodiscover.acco.local, and autodiscover.domain.com for its SANs.

Our FQDN is remote.domain.com which forwards to the server's I.P.

We can connect VIA OWA, etc...

The only thing NOT working is this dang Outlook Nowhere -- um, I mean "Anywhere".
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
I will check your ExRCA results from your previous post.
0
 

Author Comment

by:PC-Gear
Comment Utility
Um...

I disabled Outlook Anywhere and then reenabled it again, and I found this error in the log:

The configuration application APPCMD.EXE failed with exit code 1346. Command parameters:
list config "SBS Web Applications/Rpc/" -Section:system.WebServer/ServerRuntime.

Does this mean anything to you?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
start > run
type inetmgr

Expand
Sites
SBS web applications
RPC

Right click > manage application > Advanced settings
See if Physical Path Credentials is EMPTY
If not - can you delete it.

Restart IIS

thanks
0
 

Author Comment

by:PC-Gear
Comment Utility
Here are the full results for you to chew on:


 ExRCA is testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   Attempting to resolve the host name remote.domain.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 256.256.256.256 (obfuscated)
 
 Testing TCP Port 443 on host remote.domain.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   The certificate name is being validated.
  Successfully validated the certificate name
   Additional Details
  Found hostname remote.domain.com in Certificate Subject Common name
 
 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
   Additional Details
  The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
 
 The certificate date is being confirmed to ensure the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  Certificate is valid: NotBefore = 8/24/2010 9:29:56 PM, NotAfter = 8/24/2013 9:29:56 PM"
   
 The IIS configuration is being checked for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates not configured.
 
 Testing Http Authentication Methods for URL https://remote.domain.com/rpc/rpcproxy.dll
  The HTTP authentication methods are correct.
   Additional Details
  Found all expected authentication methods and no disallowed methods. Methods Found: Basic
 
 SSL mutual authentication with the RPC proxy server is being tested.
  Mutual authentication was verified successfully.
   Additional Details
  Certificate common name remote.domain.com matches msstd:remote.domain.com
 
 Attempting to Ping RPC Proxy remote.domain.com
  RPC Proxy can't be pinged.
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
 
 I'm going to bed.

You probably should too :~)
 
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Check my last post and let me know.

I may get the solution in my dream (if it wasnt the last post...)
0
 

Author Comment

by:PC-Gear
Comment Utility
It's already blank -- it's set to application user.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Logon type ?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
What about same thing for RPCwithCert ?
0
 

Author Comment

by:PC-Gear
Comment Utility
It had a username in there that I had configured for troubleshooting.  I have removed it again and set it back to "Application User".
0
 

Author Comment

by:PC-Gear
Comment Utility
RPC is set to "Basic" only.

However, RCPWithCert is set to nothing???

Might this be a problem?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Restart IIS

www.testexchangeconnectivity.com

let me know the results.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
check against this.

rpc-cert.png
0
 

Author Comment

by:PC-Gear
Comment Utility
Um...

Should I enable "Basic" on this one?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Yes @ to basic.
0
 

Author Comment

by:PC-Gear
Comment Utility
Yes, the picture is what I have.

I added "Basic" and restarted IIS.

No joy :~(
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
a) Open IIS
b) Click on Server name on left panel.
c) On the right panel click on worker processes.
d) Click on SBS Application pool (in app pool name)

See if anything is populated there
(Screenshots here)

http://blogs.technet.com/b/sbs/archive/2009/01/28/slow-connectivity-for-outlook-anywhere-and-sites-that-use-the-sbs-web-applications-app-pool.aspx
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
off to bed.
will wait for your last post and dream of a solution.

--
This being SBS - I am really really scared of reinstalling RPC/HTTPS or anything else here.
You really dont know what thread goes where in SBS :(
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:PC-Gear
Comment Utility
Nothing.

Shouldn't RPCProxy.dll be in there?
0
 
LVL 34

Expert Comment

by:Shreedhar Ette
Comment Utility
Hi,

Run SBS 2008 Best Practise Analyser tool and fix the errorsreported.

Also Run Exchange 2007 Best Practise Analyser Tool and fix the errors reported.

I suspect that the Exchange 2007 is not updated with the latest updates.

Hope this helps,
Shree
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Nope - that lists out the current connections > meaning there are no current connections.

@shree's idea is not bad.
Did you run BPA
start > programs Best Practices.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Off to bed
0
 

Author Comment

by:PC-Gear
Comment Utility
I actually did that about 20 hours ago.

Me too.
0
 

Author Comment

by:PC-Gear
Comment Utility
Well...

I ran the BPA health check.

The only errors that I received were "More than eight logical processors" warning even though affinity is only set to six CPUs.

Other than that, nothing.
0
 

Author Comment

by:PC-Gear
Comment Utility
I have a question.

Under RPCWithCert virtual directory in IIS, is HTTPtoHTTPSRedir supposed to be listed under "Modules"?

I saw that it was listed under the RPC virtual directory, so I removed it, but it's not under RPCWithCert.
0
 

Author Comment

by:PC-Gear
Comment Utility
This seems odd.  Take a look at this picture.

I can't see any connection being added here when I try to run the testexchangeconnectivity tester for Outlook Anywhre.

These same connections (listed in the picture) are the only ones I see.
IIS-Screenshot.jpg
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
This means your RPC is working.
Otherwise there will be an error there @ wait retry or something
0
 

Author Comment

by:PC-Gear
Comment Utility
I thought that you could see new connection attempts here?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can you check state column / Does it say execute request handler ?

Otherwise it will display like this @ scroll down in the link to worker process and requests.

http://blogs.technet.com/b/sbs/archive/2009/01/28/slow-connectivity-for-outlook-anywhere-and-sites-that-use-the-sbs-web-applications-app-pool.aspx
0
 

Author Comment

by:PC-Gear
Comment Utility
Yes, they all say "Execute Request Handler"

That's what I'm talking about, I can't see any "BeginRequest(s)".
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Begin Requests @ are the requests which are not being served.

Execute request handler are the RPC/HTTPS requests which are being served, and allocated a IIS worker process - which translates to a process for w3wp.exe

can you test RPC/HTTPS now using outlook - not ExRCA
0
 

Author Comment

by:PC-Gear
Comment Utility
Yes.

Stand by.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
sure.
0
 

Author Comment

by:PC-Gear
Comment Utility
YES!!!

It's working from Outlook (but not from testmyexchangeconnectivity.com.

Maybe they need to do a Test-TestMyExchangeConnectivity.com website.

Uh oh...

Now I'm getting a (minor) SSL error when going into Outlook about Mail.domain.com -- the certificate having the wrong name: "The name of the security certificate is invalid or it does not match the name of the site."

In our certificate we have: remote.domain.com, autodiscover.acco.local, autodiscover.domain.com, acco-ss, and acco-ss.domain.local.

What do you think is telling it to look at mail.domain.com?

Oh great!  Now we can't access OWA from outside the network.

I just tried to restart IIS W3svc and it won't stop, I get errors about not being able to stop it and then not being able to start it.  Finally it says that it's running but from the outside I'm getting a "Forbidden: Access Denied" error message.

What do you think is going on here?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
a) get-autodiscovervirtualdirectory | fl externalurl

b) You are checking OWA with https://remote.domain.com/owa ?

c) change the proxy setting in MSSTD: to remote.domain.com - instead of mail.domain.com

I think wherever you have mail.domain.com > we need to change that to remote.domain.com

I think we are getting there :)
0
 

Author Comment

by:PC-Gear
Comment Utility
A.) ExternalUrl : https://remote.domain.com/Autodiscover/Autodiscover.xml
B.) Yes
C.) How do I do this?

How do I find out where else their might be mail.domain.com?

And what about not being able to access remote.domain.com anymore to check e-mail remotely using OWA?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
c) Outlook RPC HTTPS configuration

In this picture
http://www.tacteam.net/isaserverorg/outlookrpchttp/Image2224.gif
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Going out for lunch. be back in an hr.
0
 

Author Comment

by:PC-Gear
Comment Utility
Gotcha.

I configured it for msstd:remote.domain.com

No effect.  I am still prompted if I want to proceed with using certificate with missing name.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Close outlook
and then try again

use
outlook /rpcdiag
give me a screenshot of connections monitor

@seriously out for lunch now :)
0
 

Author Comment

by:PC-Gear
Comment Utility
Enjoy your lunch?

I can't get the certificate error to come up again, so maybe it's OK.

The only thing is it can't access the OAB (can't download it, I get an object not found error message.)

Anyway, let's ignore this for now and get back to why do you suppose that we can't connect to the SBS Website using remote.domain.com anymore? (Access Denied).

I have tried to restart both the SBS Web Applications website and the IIS root.
Outlook-Connections-Screenshot.bmp
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
Comment Utility
your RPC diag shows - its working.

About OAB

get-oabvirtualdirectory | fl

output the results here.

I will post back on remote.domain.com @ access denied error.
0
 

Author Comment

by:PC-Gear
Comment Utility
Forget the other problem about not being able to access: remote.domain.com.

I removed the httptohttpsredir module, so I forgot that we have to access it by going to: remote.domain.com/remote.

The only problem that remains is the goofy certificate error.

It popped back up again about an hour later.

Thanks for all of your help sunnc7 -- you definitely earned those 500 points!!!
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
oops @ I thought you were going to remote.domain.com/remote and it wasnt working there...

Certificate error @ check if certificates are applied properly.
You can download this tool > export and re-import and apply the certs.
www.u-btech.com/products/certificate-manager-for-exchange-2007.html
0
 

Author Closing Comment

by:PC-Gear
Comment Utility
Thanks again!

I'm not really sure which step fixed the original problem of not being able to connect VIA RPC/HTTP, since I was only testing the various stages using www.testexchangeconnectivity.com and not by trying it in Outlook... but I'm sure glad it's fixed.

0
 

Author Comment

by:PC-Gear
Comment Utility
I will repost the certificate question to the proper forum (with more points)
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
I'd say the point @ which this started working http:#33543275

I am glad it worked out.
Thanks for the points. :)

Please post back in exchange queue if some other issues crop up.

thanks
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now