Solved

Exchange 2013 RPC Can't Be Pinged

Posted on 2014-01-23
16
4,630 Views
Last Modified: 2014-02-07
So, I have an Exchange 2013 server which I'm having a really difficult time setting up RPC over HTTP.

testconnectivity.microsoft.com tells me the following:


Attempting to ping RPC proxy ex1.domain.com.
 	RPC Proxy can't be pinged.
 	
	Additional Details
 	
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
Headers received:
request-id: 4065cd00-7187-4982-93a8-38d005724f98
X-CasErrorCode: EndpointNotFound
X-FEServer: EX1
Content-Length: 0
Cache-Control: private
Date: Thu, 23 Jan 2014 16:48:31 GMT
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 86 ms.

Open in new window



Here is a dump of get-outlookanywhere

RunspaceId                         : 32e9a446-1d08-4313-a568-ce6c028b6059
ServerName                         : EX1
SSLOffloading                      : True
ExternalHostname                   : ex1.domain.com
InternalHostname                   : ex1.domain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://ex1.domain.int/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 516.32)
Server                             : EX1
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=EX1,CN=Servers,CN=Exchange
                                     Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=domain,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=int
Identity                           : EX1\Rpc (Default Web Site)
Guid                               : 250a8b59-b607-40d9-a48b-258a2fb0a757
ObjectCategory                     : domain.int/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 1/23/2014 9:59:05 AM
WhenCreated                        : 12/10/2013 7:09:19 PM
WhenChangedUTC                     : 1/23/2014 3:59:05 PM
WhenCreatedUTC                     : 12/11/2013 1:09:19 AM
OrganizationId                     :
OriginatingServer                  : dc1.domain.int
IsValid                            : True
ObjectState                        : Changed

Open in new window


get-outlookprovider dumps the following (I have a wildcard cert).

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:*.domain.com         1
EXPR                                                        msstd:*.domain.com          1
WEB                                                                                       1

Open in new window


That's about it.  I can't get RPC to do what I want, when I want it to so I'm stuck until this is fixed.
0
Comment
Question by:deltaend
  • 10
  • 3
16 Comments
 

Author Comment

by:deltaend
ID: 39803743
I should also note that I have a DNS system internally that routes things locally as if they were externally, so ex1.domain.com should work no matter where the location is.  Ex1.domain.com has been setup in both external and internal DNS records, as well as punching holes in the hardware firewall.  Right now, the internal firewall is completely off and I have the server sitting in a DMZ because I've had so many issues with it.
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39803806
From a basic starting point if you do an nslookup on both an internal and external computer does the Exchange server resolve to the correct IP addresses?

Are the relevant ports (25 & 443) forwarded to the server correctly on the firewall?

Does webmail/OWA work both internally and externally?
0
 

Author Comment

by:deltaend
ID: 39803840
Yes to all questions.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:deltaend
ID: 39803869
Here is a dump from the test site:

	Test Steps
 	
	Attempting to resolve the host name ex1.domain.com in DNS.
 	The host name resolved successfully.
 	
	Additional Details
	Testing TCP port 443 on host ex1.domain.com to ensure it's listening and open.
 	The port was opened successfully.
 	
	Additional Details
	Testing the SSL certificate to make sure it's valid.
 	The certificate passed all validation requirements.
 	
	Additional Details
 	
	Test Steps
	Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication wasn't detected.
 	
	Additional Details
	Testing HTTP Authentication Methods for URL https://ex1.domain.com/rpc/rpcproxy.dll?ex1.domain.com:6002.
 	The HTTP authentication methods are correct.
 	
	Additional Details
	Attempting to ping RPC proxy ex1.domain.com.
 	RPC Proxy can't be pinged.
 	
	Additional Details
 	
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
Headers received:
request-id: 4065cd00-7187-4982-93a8-38d005724f98
X-CasErrorCode: EndpointNotFound
X-FEServer: EX1
Content-Length: 0
Cache-Control: private
Date: Thu, 23 Jan 2014 16:48:31 GMT
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 86 ms.

Open in new window

0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39803885
Did you use Exchange or IIS to setup the SSL certificate?
This looks like you have bound the SSL certificate to the WRONG web site. There are two in an Exchange 2013 deployment.

Simon.
0
 

Author Comment

by:deltaend
ID: 39803899
I added the SSL cert through IIS.  I know that there are certs in ECP (EAC) but I wasn't aware that they had to be added there if they were already added through IIS.  If I add the same cert through ECP, you think that this will solve my issues?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39803987
The problem was doing anything in IIS manager for the SSL certificates.
You should have done it through Exchange. The result is the same, but Exchange ensures they go in to the correct places.

Therefore I would go in to EMC, look at the certificates and ensure that your trusted SSL certificate is bound to the IIS service.

Which web site did you put the trusted SSL certificate on?

Simon.
0
 

Author Comment

by:deltaend
ID: 39803996
Default and Exchange Back End, I used the same *.domain.com wildcard SSL for both.

If the end result is the same, how do you know immediately that I didn't add it in the correct places?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39804025
What I meant by the end result being the same, is that it is installed in to IIS manager so it is available to the web service. However by doing so through Exchange you ensure it is bound to the correct Exchange services.

Simon.
0
 

Author Comment

by:deltaend
ID: 39804032
Well, don't go anywhere... give me a minute and I'll install it and see if the problem goes away.
0
 

Author Comment

by:deltaend
ID: 39804258
Nope, no joy.
0
 

Accepted Solution

by:
deltaend earned 0 total points
ID: 39804717
Got it sorted out.  

For the record, I'm not entirely sure what my problem was.  My biggest issues were with the eternal client authentication being on negotiate instead of basic.  I'm unsure if the install of the certificate into Exchange helped with my issue, but it DID help with the setting of the SMTP/POP/IMAP SSL cert which would not have been set correctly without this (partial credit).  In addtion, I needed a healthy SRV record "_autodiscover._tcp 0 0 443 ex1.domain.com", and mostly I needed to wait for Microsoft's testconnectivity.microsoft.com site to expire their cache as updates to my Exchange enviroment didn't reflect immediately there which was frustrating.
0
 

Author Comment

by:deltaend
ID: 39814561
I found the final solution myself.
0
 

Author Comment

by:deltaend
ID: 39829118
I understand. Thank you.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question