Solved

SBS 2003 RPC over HTTP - Certificate Issues?

Posted on 2011-03-20
27
1,102 Views
Last Modified: 2012-05-11
I am trying to get an external Outlook configured. I have verified, as best I know that the RPC on the SBS 2008 server is working properly. It shows the RPC Cert in IIS (v6) and when I go to any external computer and type in https://mxrecord.FQDN.com/rpc it brings up the prompt and when I input the user's ID & password, after three attempts, gives me the proverbial HTTP 401.1 screen.

We are using a self-issued certificate. I'm not really fluent with certificates and am wondering how to get, and if I can get, the self-issued certificate to work properly to get RPC over HTTP to work properly.

All the directions I've read say to put exactly what the certificate says, i.e. NETBIOSnameofserver.domain.local in the 'More Settings' - 'Connection' tab etc., Can it work with a self-issued certificate or am I better of getting a 3rd party certificate from GoDaddy?

Any help would be appreciated. Thanks.

MJ
0
Comment
Question by:mcolonas
  • 13
  • 11
  • 3
27 Comments
 

Author Comment

by:mcolonas
ID: 35175458
Correction - in the body above, it should be SBS 2003 server not 2008.
0
 

Expert Comment

by:selectcomputer
ID: 35175497
2 quick questions:

1. On the client computers, did you install the self-signed cert?  Visit OWA on the client computers - https://yourdomain.com/owa and install the self-signed cert to Trusted Root.  The method for this will vary based on what browser version and OS you are running.

2. When you configure the RPC over HTTP connection on the Outlook client, you have to use the domain\username convention, but it has to be the netbios domain name, not the full domain name.  To get that, go to a command prompt on a computer that is on the domain or the server, and issue:

set u

- the contents of the "USERDOMAIN" environment variable contain the domain name that you need to use to login for the RPC over HTTP connection.

Please let us know how that goes.

Thanks,
Ben
0
 

Expert Comment

by:selectcomputer
ID: 35175501
Sorry, to answer your question: yes, you can use a self-signed cert in SBS 2003.  In SBS 2008 it is more trouble than it is worth, and a commercial cert is much better, but with SBS 2003, a self-signed cert works fine.
0
 

Expert Comment

by:selectcomputer
ID: 35175517
One more thing - check the "only connect to proxy servers that have this principal name in their certificate" and enter msstd:yourmailserverdomainname.com and change the Proxy auth type to basic.
0
 
LVL 4

Accepted Solution

by:
Tekyguy earned 500 total points
ID: 35175538
It can be a bit confusing to figure out installing the cert on you own.  But here is a great step by step for installing the self signed cert in IE7:
installing self signed cert

you will need to do this on each workstation/laptop that will be connecting to OWA.  You can print out a guide for your users if they will be connecting to OWA from their home computers.
0
 

Author Comment

by:mcolonas
ID: 35175650
Selectcomputer:

To answer your 2 quick questions:

1.  When I RWW in, I have installed the self-issued Certificate as per Tekyguy's link - Thanks for that TG - good to see that I've been installing the certificates correctly. However, there is still the 'Certificate Error' in the address bar - it is still red. ???

2. The only place that I've used the domainnameinternal\userID is when setting up the account and it tries to verify the information. I use it there.

Also, "One more thing - check the "only connect to proxy servers that have this principal name in their certificate" and enter msstd:yourmailserverdomainname.com and change the Proxy auth type to basic." I did do that and have tried both, Basic and NLTM. I did set it to Basic and when prompted put in the domainnameinternal\userID when prompted. I would prefer the NLTM whereby I wouldn't be prompted, but, again, tried it both ways. To no avail.
MJ
0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35175656
What browser are you using?
0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35175663
Do you get the cert error just in the address bar, or still get it before the page loads and have to click 'continue to this website'?  Did the cert get installed in the "trusted root authority" location?
0
 

Author Comment

by:mcolonas
ID: 35175667
IE8 and no the cert error was there. I just click the 'continue to this website'. I did load the mmc for Certs and discovered that the cert has not been loaded.

Do I need to go back to the server and redo the CEIW (Connection to the Internet) procedure again? I did that Friday in an endeavor to get rid of these errors and they are still there.

What do you recommend I do from here?
MJ
0
 
LVL 4

Assisted Solution

by:Tekyguy
Tekyguy earned 500 total points
ID: 35175690
Re run the CEIW wizard...and have it create a new cert.  Make sure to use the external host name for the cert - ie the host you would use to connect to OWA from outside the network:  Example:  "mail.domainname.com"  it has to be the same base url that you use to connect to OWA from the internet.
0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35175693
...you may want to remote the existing cert, using the cert mmc.  Once the new cert is setup on the server, connect to OWA, and again install the new cert into IE8 - in the trusted root.
0
 

Author Comment

by:mcolonas
ID: 35175718
Do you think that this can be done via RDP? I know I can't do it via RWW. Currently, I'm 2 hours away from their server. Would RDP work to rerun the CEIW?
0
 
LVL 4

Assisted Solution

by:Tekyguy
Tekyguy earned 500 total points
ID: 35175912
Is this on Vista?  if so, check this out first:  vista sbs 2003 patch

With IE8, you may also need to do this:  IE8 Cert install
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:mcolonas
ID: 35175940
I'm on Win7 Ultimate with Outlook 2007 which I will be usijng as the guinea pig... However I do have an XPPro desktop that unfortunately doesn't have Outlook 2003 or 2007.
0
 

Author Comment

by:mcolonas
ID: 35176047
I ran the CEIW and had it issue a new certificate mail.contoso.com. The certificate shows in this computer that I am using (Win7-Ultimate). Again, when I click on the Certificate Error, it shows the proper name 'mail.contoso.com', but, it does't give me an option to install the certificate with IE8.

When I click on Cert. Error I get the option to 'View' the certificate. From there I get the normal 3 tabs - General, Details & Certification Path. On the General tab, I get a greyed out 'Issuer Statement' and no option to 'Install'.

Any ideas?
0
 

Author Comment

by:mcolonas
ID: 35176299
Tekyguy
Thanks for the IE8 link. Progress is being made. We have eliminated the Cert Error(s) in the address bar and the cert has been accepted and shows up in the Trusted Root directory - red errors gone!

I configured the new acount via Mail and set it up as per instructions. I went to the
'Connections' tab and then check the 'Connect to MS EXchange via HTTP' box, I then click on the 'Exchange Proxy Settings'.

Where it says 'Use this URL to connect to my proxy server for Exchange:' I have what is exactly on my cert: mail.contoso.com (I know you are begging the question, but no I didn't use that). Additionally, the 'Connect using SSL only' is checked as well as the next box 'Only connect to proxy servers that have this principal name in their certificate:' and there I have inserted msttd:mail.contoso.com.

Slow networks is checked and Proxy authentication settings are set to Basic Authentication.

Now my error when I create a test account on my Win7Ultimate with Outlook 2007 is 'There is a problem with the proxy server's certificate. The name on the security certificate is invalid or does not match the name of the target site mail.contoso.com.  Outlook is unable to connect to the proxy server. (Error Code 0).

I'm so close and yet so far...
0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35176720
Is the server set up for Basic Authentication or NTLM?  Make sure server is set to Basic.   And un-check the box for for Mutual Authentication - For Exchange server 2003.  You still get SSL, but the mutual authentication requires a special public cert.
0
 

Author Comment

by:mcolonas
ID: 35176845
How do I access the authentication? Is it done via Exchange? IIS? Please advise. Thanks.
0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35176948
Lets see with outlook 2007 maybe try using FQD name\username...

I'll have to take a look at the settings for Basic authentication on SBS 2003.  I'm in SBS 2011 right now.  I'll update when I have the exact location.
0
 

Author Comment

by:mcolonas
ID: 35176964
Am currently following this article

http://www.petri.co.il/how-can-i-configure-rpc-over-https-on-exchange-2003-single-server-scenario.htm

and noticed that I had the ports (6001,2,3, etc) set wrong. Am rebotting and will see what happens next.

When you click on the link in the RWW screen for Outlook over the Internet, they list just a few steps and make it sound so easy....
0
 
LVL 4

Assisted Solution

by:Tekyguy
Tekyguy earned 500 total points
ID: 35177092
Gotcha - Thats a good article.  Make sure the IIS VD is set to Basic Authentication:

1. Configure the Exchange computer to use RPC over HTTP/S, you must configure the RPC virtual directory in Internet Information Services (IIS).

2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand servername (local computer), expand Web Sites, expand Default Web Site, right-click Rpc, and then click Properties - Make sure only Basic Authentication is checked.

Basic does send pwd in clear text, but the clear text will be inside the encrypted SSL tunnel.

0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35177109
Here is a list of all the ports you may need open for SBS 2003:

SBS firewall ports
- SMTP - port 25 – email
- http - port 80 – web server including wwwroot and server usage and performance reports.
- https – port 443 – secure web server.  Includes OWA and OMA
- Windows SharePoint Services intranet site – port 444 for allowing users to securely access the intranet Web site created by SharePoint Services from the Internet
- PPTP - port 1723 – VPN connections
- Remote Web Workplace (RWW)  - ports 443 and 4125
- Remote Desktop (RDP direct) – port 3389.  If using RDP through RWW this is not required.

Other SBS ports
- POP3 – port 110
- IMAP – port 143
- IMAPs – port 993
- FTP – port 21
0
 

Author Comment

by:mcolonas
ID: 35177154
Thanks for the list of ports - those I've got. Configuring RPC over HTTP/s requires a configuration of the 6001, 6002, 6003 ports for the exchange. All those aforementioned ports, have been configured like that since day one - thanks though.

I also did what you mentioned about the Basic Authentication via another article. But, just to be sure. In your 0552 comment you mentioned about drilling down to IIS RPC Properties, but, I assume it needed to go further, i.e. click on Directory Security, then cilck Authentication and access control and then insure that only 'Basic Authentication (password is sent in clear text). - Am I correct in this assumption?

I've been here there and everywhere today trying to get this resolved to the piont where I need to clarify - thanks for the input.

MJ
0
 

Author Comment

by:mcolonas
ID: 35177185
After all this, now I can't even create an account in Outlook. I go to Control Panel, Mail, create new account, fill in the info and it gets locked in a loop that Outlook cannot log on. Verify I'm connected to the network and using the proper server and mailbox name. Outlook must be online or connnected to complete this action.

All the instructions I've read said to create the account via the Control Panel / Mail. I'm locked in a crazy loop. It won't let me out. BTW 'Use Cached Exchanged Mode' is unchecked.
0
 

Author Closing Comment

by:mcolonas
ID: 35206602
In addition to having to do what was mentioned in these answers, there were also configurations required in IIS & Exchange. The linked Petri article was the most thorough as well as the instructions in SBS 2003 Outlook Anywhere.
0
 
LVL 4

Expert Comment

by:Tekyguy
ID: 35211487
What specific changed to Exchange/IIS did you have to make to get it working correctly.  And this was outside of the SBS 'wizards'?
0
 

Author Comment

by:mcolonas
ID: 35214658
First, the certificate was issued wrong - it was NETBIOSname.internaldomain.local instead of mail.contoso.com.

Second, in IIS under the security tab, Edit under Authentication and acess control insured that the 'Anonymous access' check box was enabled as well as selecting Basic Authentication. Also, in IIS, under the Default Web site under the Directory Security tab under secure communications, Require secure channel was selected. Now most of these had already been set. There was one that wasn't.

Third, the RPC proxy server (Exchange Server) was configured to use specific ports - for this I used the RPCNoFrontEnd applet: http://www.petri.co.il/software/rpcnofrontend.zip
and later verfied it via the registry. It configred the 6001 port - Store, 6002 - DSReferral & 6004 for DSProxy.

After that, I then followed the instructions in the SBS 2003 RWW regarding Outlook Anywhere. When it comes time to put the 'Exchange SErver' all my instincts said how is it going to resolve NETBIOSname.internaldomain.local? But, alas and alack, it did.

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now