Solved

Outlook Anywhere (RPC-over-HTTPS) in SBS2008 - Timeout

Posted on 2010-09-13
14
1,201 Views
Last Modified: 2012-05-10
I'm having an intermittent problem with Outlook Anywhere running on Exchange 2007 with SBS 2008 where clients will lose connection and timeout when trying to reconnect.  Outlook connection status shows "Connecting" on any or all of the connection types (mail, directory, etc).  xRCA shows a timeout during the authentication phase.  Browsing to the rpc/rpcproxy.dll just sits there trying to connect.  The problem doesn't seem to happen on the SBS browsing to either the name or localhost but does occur on machines on the same LAN as the SBS.  I get the "...problem with the website's security certificate" page since I only have the external names in the SSL but when I click to continue, it hangs.  External connections don't complain about the SSL since the names are there but the connection still times out.
0
Comment
Question by:belltec
  • 7
  • 6
14 Comments
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
get-clientaccessserver | fl
get-exchangecertificate | fl
get-autodiscovervirtualdirectory | fl
get-outlookanywhere | fl

Please post the output of all 4.

thanks
0
 
LVL 11

Expert Comment

by:djxtreme
Comment Utility
Have you got a proper SAN certificate with external/internal names?

Run an Exchange BPA and make sure its not complaining about certificates - Outlook Anywhere issues usually are certificate-related in my experience :)
0
 

Author Comment

by:belltec
Comment Utility
djextreme...  My SAN has the external names only as the SBS is being used as a "hosted" Exchange server.  I have a local terminal server on that LAN for mailbox imports (I hate you Gmail).  BPA doesn't like that the local machine name isn't in the SSL but I've had problems getting certificates authorized when including the netbios name.


sunnyc7...  On Friday, the error in the get-outlookanywhere was NOT present, but here's the info you requested.  I'm putting that one first in case we don't need to read further.

-------

[PS] C:\Windows\System32>Get-OutlookAnywhere | fl
WARNING: IIS://SBS.contoso.local/W3SVC/1/ROOT/Rpc was not found. Please make
sure you have typed it correctly.


ServerName                 : SBS
SSLOffloading              : False
ExternalHostname           : mail.contoso.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://SBS.contoso.local/W3SVC/1/ROOT/Rpc
Path                       :
Server                     : SBS
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (SBS Web Applications)
DistinguishedName          : CN=Rpc (SBS Web Applications),CN=HTTP,CN=Protocols
                             ,CN=SBS,CN=Servers,CN=Exchange Administrative
                              Group (FYDIBOHF23SPDLT),CN=Administrative Groups,
                             CN=First Organization,CN=Microsoft Exchange,CN=Ser
                             vices,CN=Configuration,DC=contoso,DC=local
Identity                   : SBS\Rpc (SBS Web Applications)
Guid                       : c826073a-5c35-4401-bb96-dec518230116
ObjectCategory             : contoso.local/Configuration/Schema/ms-Exch-Rpc-Http-V
                             irtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                             Directory}
WhenChanged                : 9/10/2010 9:15:52 AM
WhenCreated                : 8/31/2010 3:08:32 PM
OriginatingServer          : SBS.contoso.local
IsValid                    : True

---

[PS] C:\Windows\System32>Get-ClientAccessServer |fl

Name                           : SBS
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBS
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SBS.contoso.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SBS,CN=Servers,CN=Exchange Administrat
                                 ive Group (FYDIBOHF23SPDLT),CN=Administrative
                                 Groups,CN=First Organization,CN=Microsoft Exch
                                 ange,CN=Services,CN=Configuration,DC=contoso,DC=l
                                 ocal
Identity                       : SBS
Guid                           : 85360216-38eb-41a0-a24a-1da653d3e374
ObjectCategory                 : contoso.local/Configuration/Schema/ms-Exch-Exchan
                                 ge-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 9/8/2010 1:09:41 PM
WhenCreated                    : 8/25/2010 12:46:01 PM

---

[PS] C:\Windows\System32>Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.contoso.com, www.mail.contoso.com, autodiscover.ma
                     ps-adr.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 8/31/2011 2:11:55 PM
NotBefore          : 8/31/2010 2:11:55 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 2B6689D2F383DA
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.contoso.com, OU=Domain Control Validated, O=mail.
                     contoso.com
Thumbprint         : 3305622CC9C61171778AB2DD299D5D333AA6BC83

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.contoso.com, SBS, SBS.contoso.local, autodis
                     cover.contoso.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : DC=com, DC=contoso-adr, O=Mediation Arbitration Professional
                     Services, CN=mail.contoso.com
NotAfter           : 8/31/2011 12:28:51 PM
NotBefore          : 8/31/2010 12:08:51 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 3240CF37203289BD43CD0D1B904B9004
Services           : None
Status             : Valid
Subject            : DC=com, DC=contoso-adr, O=Mediation Arbitration Professional
                     Services, CN=mail.contoso.com
Thumbprint         : 0913EF20247E24EDE93311D9F170E92F1371E270

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-PM1THNWS0HM}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-PM1THNWS0HM
NotAfter           : 8/22/2020 1:25:42 PM
NotBefore          : 8/25/2010 1:25:42 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 7D78A20EE4813E8F42893E4DEB37031E
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-PM1THNWS0HM
Thumbprint         : 06F7C39D1C3A821365CC1113E51456FE9E2BAD2A

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS.contoso.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=SBS-CA
NotAfter           : 8/25/2011 12:26:54 PM
NotBefore          : 8/25/2010 12:26:54 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6116280E000000000003
Services           : SMTP
Status             : Valid
Subject            : CN=SBS.contoso.local
Thumbprint         : A9CA8D8CA2589257F40385E551AABE7048CCE8C7

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SBS.contoso.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=SBS-CA
NotAfter           : 8/24/2012 12:15:31 PM
NotBefore          : 8/25/2010 12:15:31 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610BBB6B000000000002
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 066CEF85DD293307CB4902BAE24E6AD25D105D90

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SBS-CA
NotAfter           : 8/25/2015 12:23:10 PM
NotBefore          : 8/25/2010 12:13:11 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 27696D76648E0397485BD7D6C036F955
Services           : None
Status             : Valid
Subject            : CN=SBS-CA
Thumbprint         : A4D7E6327CACB8D78D8A55CFB91D757554FA841E

---

[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | fl

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SBS.contoso.local/W3SVC/3/ROOT/Autodisc
                                over
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SBS
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=SBS,CN=Servers,CN=Exchange
                                 Administrative Group (FYDIBOHF23SPDLT),CN=Admi
                                nistrative Groups,CN=First Organization,CN=Micr
                                osoft Exchange,CN=Services,CN=Configuration,DC=
                                contoso,DC=local
Identity                      : SBS\Autodiscover (SBS Web Applications)
Guid                          : aab3a62d-853d-4773-bf27-b6c2405fc7d3
ObjectCategory                : contoso.local/Configuration/Schema/ms-Exch-Auto-Di
                                scover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 8/25/2010 1:04:53 PM
WhenCreated                   : 8/25/2010 1:04:53 PM
OriginatingServer             : SBS.contoso.local
IsValid                       : True

--------

The frustrating part is that the first few machines that attempted to connect had no issues until I started adding additional connections.  Everything went downhill fast after the first 4-5 machines connected.  Later in the day on Friday, I was able to connect and test with xRCA with no errors.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
if your
internal domain name = sbs.domain.local
external FQDN = mail.domain.com

run these

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://sbs.domain.local/Autodiscover/Autodiscover.xml"

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -ExternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://sbs.domain.local/Autodiscover/Autodiscover.xml"
0
 

Author Comment

by:belltec
Comment Utility
Before I run any cmdlets, I should mention that users are able to connect via OWA with no problems.  Will any of these cause them to disconnect?  I had re-run the OABVirtualDir and WebServices VirtualDir cmdlets while working on another issue last week and ended up killing OWA for a while so I'm a bit gunshy with regards to making changes during the day.

Thanks for the info thus far.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
it wont
these are for outlook connection
your internal and external URL's are not setup properly.

Get-AutodiscoverVirtualDirectory | fl
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   :
-----

Get-ClientAccessServer |fl

Name                           : SBS
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBS
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml

0
 

Author Comment

by:belltec
Comment Utility
No change after setting the autodiscover URLs.  I wasn't seeing any problem with Autodiscover in either the xRCA or in Outlook's ability to configure itself.  I'm thinking the issue is more with the RPC error below.  Any thoughts on that?

[PS] C:\Windows\System32>Get-OutlookAnywhere
WARNING: IIS://SBS.contoso.local/W3SVC/1/ROOT/Rpc was not found. Please make sure you have typed it correctly.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
Comment Utility
0
 

Author Comment

by:belltec
Comment Utility
sunnyc7...

I had come across this blog and had already made the registry change.  I do see the redirect requests but there aren't more than 30 requests in the BeginRequest state.  There are 24 in state "ExecuteRequestHandler".  I had thought there was an issue with how many rpc connections but we're only talking about 15 mailboxes.

It seems every article or blog or forum post I come across points to Outlook Anywhere configuration but I just can't seem to find the missing piece of the puzzle.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
are you saying there are around 30 requests in the BeginRequest state.

Did you restart IIS admin service after you made those changes in http to https re-direct ?
0
 

Author Comment

by:belltec
Comment Utility
The server was restarted after a Silverlight patch was installed by our Kaseya patch management system on Saturday and there haven't been any changes to redirection since Friday.
0
 

Author Comment

by:belltec
Comment Utility
I have a case open with Microsoft and am awaiting a call back from a support engineer.  I'll post our findings here for future reference.

Rusty
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
What version of Exchange 2007 are you running.
with service pack and roll-up update.

thanks
0
 

Author Closing Comment

by:belltec
Comment Utility
Note that the "New" fix does not necessarily override the "Old" fix in this article.  I had created the registry entry but also had to remove the HttptoHttpsRedir module from the rpc virtual directory.  Awarding full points to sunnyc7 for pointing me to the link that I had to show the MS techs after 8+ hours on the phone with them...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now