Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Outlook Anywhere (RPC-over-HTTPS) in SBS2008 - Timeout

Posted on 2010-09-13
14
Medium Priority
?
1,264 Views
Last Modified: 2012-05-10
I'm having an intermittent problem with Outlook Anywhere running on Exchange 2007 with SBS 2008 where clients will lose connection and timeout when trying to reconnect.  Outlook connection status shows "Connecting" on any or all of the connection types (mail, directory, etc).  xRCA shows a timeout during the authentication phase.  Browsing to the rpc/rpcproxy.dll just sits there trying to connect.  The problem doesn't seem to happen on the SBS browsing to either the name or localhost but does occur on machines on the same LAN as the SBS.  I get the "...problem with the website's security certificate" page since I only have the external names in the SSL but when I click to continue, it hangs.  External connections don't complain about the SSL since the names are there but the connection still times out.
0
Comment
Question by:belltec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33662607
get-clientaccessserver | fl
get-exchangecertificate | fl
get-autodiscovervirtualdirectory | fl
get-outlookanywhere | fl

Please post the output of all 4.

thanks
0
 
LVL 11

Expert Comment

by:Stephen Croft
ID: 33662610
Have you got a proper SAN certificate with external/internal names?

Run an Exchange BPA and make sure its not complaining about certificates - Outlook Anywhere issues usually are certificate-related in my experience :)
0
 

Author Comment

by:belltec
ID: 33662952
djextreme...  My SAN has the external names only as the SBS is being used as a "hosted" Exchange server.  I have a local terminal server on that LAN for mailbox imports (I hate you Gmail).  BPA doesn't like that the local machine name isn't in the SSL but I've had problems getting certificates authorized when including the netbios name.


sunnyc7...  On Friday, the error in the get-outlookanywhere was NOT present, but here's the info you requested.  I'm putting that one first in case we don't need to read further.

-------

[PS] C:\Windows\System32>Get-OutlookAnywhere | fl
WARNING: IIS://SBS.contoso.local/W3SVC/1/ROOT/Rpc was not found. Please make
sure you have typed it correctly.


ServerName                 : SBS
SSLOffloading              : False
ExternalHostname           : mail.contoso.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://SBS.contoso.local/W3SVC/1/ROOT/Rpc
Path                       :
Server                     : SBS
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (SBS Web Applications)
DistinguishedName          : CN=Rpc (SBS Web Applications),CN=HTTP,CN=Protocols
                             ,CN=SBS,CN=Servers,CN=Exchange Administrative
                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,
                             CN=First Organization,CN=Microsoft Exchange,CN=Ser
                             vices,CN=Configuration,DC=contoso,DC=local
Identity                   : SBS\Rpc (SBS Web Applications)
Guid                       : c826073a-5c35-4401-bb96-dec518230116
ObjectCategory             : contoso.local/Configuration/Schema/ms-Exch-Rpc-Http-V
                             irtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                             Directory}
WhenChanged                : 9/10/2010 9:15:52 AM
WhenCreated                : 8/31/2010 3:08:32 PM
OriginatingServer          : SBS.contoso.local
IsValid                    : True

---

[PS] C:\Windows\System32>Get-ClientAccessServer |fl

Name                           : SBS
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBS
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SBS.contoso.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SBS,CN=Servers,CN=Exchange Administrat
                                 ive Group (FYDIBOHF23SPDLT),CN=Administrative
                                 Groups,CN=First Organization,CN=Microsoft Exch
                                 ange,CN=Services,CN=Configuration,DC=contoso,DC=l
                                 ocal
Identity                       : SBS
Guid                           : 85360216-38eb-41a0-a24a-1da653d3e374
ObjectCategory                 : contoso.local/Configuration/Schema/ms-Exch-Exchan
                                 ge-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 9/8/2010 1:09:41 PM
WhenCreated                    : 8/25/2010 12:46:01 PM

---

[PS] C:\Windows\System32>Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.contoso.com, www.mail.contoso.com, autodiscover.ma
                     ps-adr.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 8/31/2011 2:11:55 PM
NotBefore          : 8/31/2010 2:11:55 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B6689D2F383DA
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.contoso.com, OU=Domain Control Validated, O=mail.
                     contoso.com
Thumbprint         : 3305622CC9C61171778AB2DD299D5D333AA6BC83

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.contoso.com, SBS, SBS.contoso.local, autodis
                     cover.contoso.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : DC=com, DC=contoso-adr, O=Mediation Arbitration Professional
                     Services, CN=mail.contoso.com
NotAfter           : 8/31/2011 12:28:51 PM
NotBefore          : 8/31/2010 12:08:51 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3240CF37203289BD43CD0D1B904B9004
Services           : None
Status             : Valid
Subject            : DC=com, DC=contoso-adr, O=Mediation Arbitration Professional
                     Services, CN=mail.contoso.com
Thumbprint         : 0913EF20247E24EDE93311D9F170E92F1371E270

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-PM1THNWS0HM}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-PM1THNWS0HM
NotAfter           : 8/22/2020 1:25:42 PM
NotBefore          : 8/25/2010 1:25:42 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 7D78A20EE4813E8F42893E4DEB37031E
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-PM1THNWS0HM
Thumbprint         : 06F7C39D1C3A821365CC1113E51456FE9E2BAD2A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS.contoso.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=SBS-CA
NotAfter           : 8/25/2011 12:26:54 PM
NotBefore          : 8/25/2010 12:26:54 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6116280E000000000003
Services           : SMTP
Status             : Valid
Subject            : CN=SBS.contoso.local
Thumbprint         : A9CA8D8CA2589257F40385E551AABE7048CCE8C7

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SBS.contoso.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=SBS-CA
NotAfter           : 8/24/2012 12:15:31 PM
NotBefore          : 8/25/2010 12:15:31 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610BBB6B000000000002
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 066CEF85DD293307CB4902BAE24E6AD25D105D90

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SBS-CA
NotAfter           : 8/25/2015 12:23:10 PM
NotBefore          : 8/25/2010 12:13:11 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 27696D76648E0397485BD7D6C036F955
Services           : None
Status             : Valid
Subject            : CN=SBS-CA
Thumbprint         : A4D7E6327CACB8D78D8A55CFB91D757554FA841E

---

[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | fl

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SBS.contoso.local/W3SVC/3/ROOT/Autodisc
                                over
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SBS
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=SBS,CN=Servers,CN=Exchange
                                 Administrative Group (FYDIBOHF23SPDLT),CN=Admi
                                nistrative Groups,CN=First Organization,CN=Micr
                                osoft Exchange,CN=Services,CN=Configuration,DC=
                                contoso,DC=local
Identity                      : SBS\Autodiscover (SBS Web Applications)
Guid                          : aab3a62d-853d-4773-bf27-b6c2405fc7d3
ObjectCategory                : contoso.local/Configuration/Schema/ms-Exch-Auto-Di
                                scover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 8/25/2010 1:04:53 PM
WhenCreated                   : 8/25/2010 1:04:53 PM
OriginatingServer             : SBS.contoso.local
IsValid                       : True

--------

The frustrating part is that the first few machines that attempted to connect had no issues until I started adding additional connections.  Everything went downhill fast after the first 4-5 machines connected.  Later in the day on Friday, I was able to connect and test with xRCA with no errors.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 28

Expert Comment

by:sunnyc7
ID: 33663010
if your
internal domain name = sbs.domain.local
external FQDN = mail.domain.com

run these

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://sbs.domain.local/Autodiscover/Autodiscover.xml"

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -ExternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://sbs.domain.local/Autodiscover/Autodiscover.xml"
0
 

Author Comment

by:belltec
ID: 33663079
Before I run any cmdlets, I should mention that users are able to connect via OWA with no problems.  Will any of these cause them to disconnect?  I had re-run the OABVirtualDir and WebServices VirtualDir cmdlets while working on another issue last week and ended up killing OWA for a while so I'm a bit gunshy with regards to making changes during the day.

Thanks for the info thus far.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33663108
it wont
these are for outlook connection
your internal and external URL's are not setup properly.

Get-AutodiscoverVirtualDirectory | fl
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   :
-----

Get-ClientAccessServer |fl

Name                           : SBS
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBS
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml

0
 

Author Comment

by:belltec
ID: 33663702
No change after setting the autodiscover URLs.  I wasn't seeing any problem with Autodiscover in either the xRCA or in Outlook's ability to configure itself.  I'm thinking the issue is more with the RPC error below.  Any thoughts on that?

[PS] C:\Windows\System32>Get-OutlookAnywhere
WARNING: IIS://SBS.contoso.local/W3SVC/1/ROOT/Rpc was not found. Please make sure you have typed it correctly.
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 2000 total points
ID: 33663737
0
 

Author Comment

by:belltec
ID: 33663978
sunnyc7...

I had come across this blog and had already made the registry change.  I do see the redirect requests but there aren't more than 30 requests in the BeginRequest state.  There are 24 in state "ExecuteRequestHandler".  I had thought there was an issue with how many rpc connections but we're only talking about 15 mailboxes.

It seems every article or blog or forum post I come across points to Outlook Anywhere configuration but I just can't seem to find the missing piece of the puzzle.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33663994
are you saying there are around 30 requests in the BeginRequest state.

Did you restart IIS admin service after you made those changes in http to https re-direct ?
0
 

Author Comment

by:belltec
ID: 33664013
The server was restarted after a Silverlight patch was installed by our Kaseya patch management system on Saturday and there haven't been any changes to redirection since Friday.
0
 

Author Comment

by:belltec
ID: 33666826
I have a case open with Microsoft and am awaiting a call back from a support engineer.  I'll post our findings here for future reference.

Rusty
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33666927
What version of Exchange 2007 are you running.
with service pack and roll-up update.

thanks
0
 

Author Closing Comment

by:belltec
ID: 33682604
Note that the "New" fix does not necessarily override the "Old" fix in this article.  I had created the registry entry but also had to remove the HttptoHttpsRedir module from the rpc virtual directory.  Awarding full points to sunnyc7 for pointing me to the link that I had to show the MS techs after 8+ hours on the phone with them...
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question