rpc ssl setting changing on its own

this is a new server that was migrated from sbs2003.
sbs 2008  IIS 6 sp2
rpc over http "outlook anywhwere"

for the clients to connect the ssl setting in rpc under web applications in IIS services manager need to have the client "Ignore" the client certificate. it randomly (ever 15-60 min) changes to accept.
we have a  purchased certificate, everything works great with regards to that. OWA rpc over http (when the settings are at ignore)

Im under alot of pressure here all the users are remote!

Thanks in advance
Dave
nexicomnetsolAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Glen KnightCommented:
You don't make changes in IIS with Exchange 2007, the configuration should be done using the Exchange Management Console.

What is it you are trying to change and why?
0
nexicomnetsolAuthor Commented:
Thanks demazter

i need to change the ssl setting in rpc to "ignore client certificates"

i found that i needed this setting changed through either a best practices wizard or another wizard, (im very tired) and then tested with website testexchangeconnectivity.
once i made the change in ii6 everyone connected.

so where in the exchange management should i be looking into this issue
0
Glen KnightCommented:
Why are you trying to change this setting?

Do you have a valid SSL certificate?
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

nexicomnetsolAuthor Commented:
yes we are using a comodo certificate
 but for some reason its the only way to get the  outlook to connect.

the testexchangeconnectivity site passed the  certificate portion of the test, thats what lead me to the "ignore client certificates" setting

owa works fine using cert
remote web workplace works fine with cert.

i read an article and it suggested running the fix my network wizard, and certificate passed there.

any suggestions or things to try?
0
Glen KnightCommented:
How did you request the certificate? Did you use the SBS Console wizard?
0
nexicomnetsolAuthor Commented:
We had it on the old server, subdomain hasn't changed and the cert is compatible with IIs 6

we ran the web server certificate wizard from the sbs console and imported it there
current status is trusted
0
Glen KnightCommented:
I would suggest you re-key it.  The requirements for Exchange 2007 are different to that of Exhange 2003.
0
Cliff GaliherCommented:
I suspect your iisauthenticationmethod setting has gotten corrupted. This is easy to fix, but to be safe, can you post the results from the following EMS command?

Get-outlookanywhere | fl
0
nexicomnetsolAuthor Commented:
ok here it is


[PS] C:\Windows\system32>Get-outlookanywhere | fl
WARNING: IIS://GPSERVER1.gileadpower.local/W3SVC/1/ROOT/Rpc was not found.
Please make sure you have typed it correctly.


ServerName                 : GPSERVER1
SSLOffloading              : False
ExternalHostname           : remote.gileadpower.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://GPSERVER1.gileadpower.local/W3SVC/1/ROOT/Rpc
Path                       :
Server                     : GPSERVER1
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=
                             GPSERVER1,CN=Servers,CN=Exchange Administrative Gr
                             oup (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=
                             First Organization,CN=Microsoft Exchange,CN=Servic
                             es,CN=Configuration,DC=gileadpower,DC=local
Identity                   : GPSERVER1\Rpc (Default Web Site)
Guid                       : 6f3ccd06-c8ae-4bbe-b5a7-a0bc57de50c4
ObjectCategory             : gileadpower.local/Configuration/Schema/ms-Exch-Rpc
                             -Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                             Directory}
WhenChanged                : 02/04/2011 3:45:33 PM
WhenCreated                : 02/04/2011 3:45:33 PM
OriginatingServer          : GPSERVER1.gileadpower.local
IsValid                    : True



[PS] C:\Windows\system32>
0
Cliff GaliherCommented:
Good, everything looks right there. You only have one and both items are set to Basic, so let's rewrite that data to enure we overwrite any corruption. The following two commands should do just that.

get-outlookanywhere | set-outlookanywhere -DefaultAuthenticationMethod NTLM
get-outlookanywhere | set-outlookanywhere -DefaultAuthenticationMethod Basic

0
Cliff GaliherCommented:
On second thought, you said this was SBS 2008? The rpc directory is being reported as being in the "Default Web site" which is incorrect. It should be in the "SBS Web Apps" instead. It probably *is* there, but Exchange is misconfigured and Get-Outlookanywhere is showing that. It won't hurt to run the commands above, but I'm half-expecting them to fail. Let's verify that before I go too much further...

-Cliff
0
nexicomnetsolAuthor Commented:
Ok so here are the results

And yes its sbs 2008 and the rpc is located in sbs web apps

       


[PS] C:\Windows\system32>get-outlookanywhere | set-outlookanywhere -DefaultAuthe
nticationMethod NTLM
WARNING: IIS://GPSERVER1.gileadpower.local/W3SVC/1/ROOT/Rpc was not found.
Please make sure you have typed it correctly.

[PS] C:\Windows\system32>get-outlookanywhere | set-outlookanywhere -DefaultAuthe
nticationMethod Basic
WARNING: IIS://GPSERVER1.gileadpower.local/W3SVC/1/ROOT/Rpc was not found.
Please make sure you have typed it correctly.
[PS] C:\Windows\system32>

0
Cliff GaliherCommented:
Yeah, that warning about the default tells me that something (usually a 3rd-party app that expects components to be in the default web site) has gone and clobbered most of our settings.

Start with this (WITH A BACKUP!!!) and lets get your Exchange components working as expected.

http://microsofttoolbox.com/2009/12/how-to-recreate-exchange-virtual-directories/

0
nexicomnetsolAuthor Commented:
So before i continue couple of questions

can i narrow this down or do i have to perform the whole list? remove all then recreate all?

if i perform the task will i have reconfiguring of other features that are working ie: web outlook, and rww?

i will most likely have to wait and do this tomorrow night after employees have gone home, pretty risky doing it remotely or during business hours.

I really appreciate this
stay tuned
0
Cliff GaliherCommented:
As long as you used the wizards to configure OWA and RWW, then this process (as documented, you rerun the IAMW) will put things back in a standard working state. If you did any changes OUTSIDE of the wizards then you will have to repeat those changes.

As far as narrowing down the list, being something has stomped on IIS, I would recommend against it. Chances are it touched all of the Exchange directories and dependencies, so each will have to be set up to ensure consistency.

This is the less drastic process, which is why I'm starting with it. It is possible that the metadata related to the RPC proxy service (a windows service, not an exchange service) has itself been tampered with, in which case, a more invasive repair will be required, so I haven't posted that yet.

So yes, the process above has the potential to break things, but a good backup and a careful progress should minimize or eliminate the risk.

-Cliff
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nexicomnetsolAuthor Commented:
Sorry for the delay in my reply, cgaliher it seems you were partially correct. client insisted we call microsoft so after 30 hours of online support, they discovered that the autodiscover connector was corrupted at some deep level.
0
nexicomnetsolAuthor Commented:
I want to thank everyone that responded! its members like you that help those of us that are learning!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.