Announcement

Collapse
No announcement yet.

RPC over HTTPs fails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RPC over HTTPs fails

    I can't get Outlook to connect to my Exchange 2003 SP2 (Windows 2003 SP1) single-server via RPC over HTTPS. Doesn't work on LAN or WAN. Exception 1818 occurs after about 10 minutes. Wireshark shows two authentication requests right at the beginning, and then nothing else after that.

    RPCPing -t nacn_http -s <internalFQDN> -o RPCProxy=<externalFQDN> -P "login info" -I "login info" -H 1 -F 3 -a connect -u 10 -v 3 -e 6001

    RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002
    OS Version is 5.1, Service Pack 2

    Exception 1818 (0x0000071A)
    Number of records is: 1
    ProcessID is 1700
    System Time is: 1/4/2007 17:1:0:842
    Generating component is 14
    Status is 1818
    Detection location is 1390
    Flags is 0
    NumberOfParameters is 1
    Long val: 900000

    I've checked my configuration against every setup list I could Google (including Daniel's own excellent writeup and Microsoft's 833401)

    1. RPC over HTTP is installed
    2. IIS is running just fine.
    3. RPC virtual folder is configured correctly; I get prompted for authentication endlessly when Scripts & Executables are enabled, as they should be.
    4. Certificate is from RapidSSL, and is accepted just fine.
    5. Valid ports include <internalFQDN> and <externalFQDN> on 6001-6002 and 6004, as should be
    6. RPCPing -E runs fine (Response from server received: 200)

    If I intentionally put an incorrect value for any of the server names, I get an Exception 5, as would be expected. I get the same error on an XP SP2 machine, too.

    Standard MAPI connection over LAN works fine, OWA is on - all normal Exchange stuff is working fine.

    What in the world else is there to check??

  • #2
    Re: RPC over HTTPs fails

    Silly but do these computers have a Default Gateway set up?

    Also, how did you test internally?
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Re: RPC over HTTPs fails

      Yes, I have a default gateway. Saw that issue as well.

      I test internally with exactly the same test string as external.

      Also, when I test with outlook /rpcdiag, and an RPC/HTTP-enabled profile, the status window shows only an unnamed Directory line "connecting" and *internalFQDN* Referral connecting as well. I get asked to login, the Referral line goes away, the Directory line gets the *internalFQDN* with "Connecting" status, another Referral line flashes up "Connecting", then I get the message that Microsoft Exchange is unavailable. I never see interface, conn, or other info. That's if my profile is set to not use Cached Mode. If it is, of course I just get a message that it can't connect to my folders and quits.

      Outlook takes only a few moments to figure out it can't work, unlike the 10-15 minutes RPCPing takes to give up with the 1818 exception.

      Hmm. Just saw another post by another user about domain membership; I'm testing from computers that aren't domain members either.

      Also, I get the same response running rpcping on the server itself.
      Last edited by La5Rocks; 5th January 2007, 03:05. Reason: Additional info

      Comment


      • #4
        Re: RPC over HTTPs fails

        Problems with RPC over HTTPS are usually caused by one of a small number of factors.

        1. Not meeting the requirements. The requirements are very strict. Exchange 2003 on Windows 2003, with at least one Windows 2003 GC/DC. If your domain controllers are Windows 2000, this will not work.
        Client side - Windows XP SP2 with Outlook 2003.

        2. SSL Certificate issues. Using a home grown certificate is one problem. Having the certificate in a different name to the one being accessed can also cause a problem.
        Internally, browse to https://host.domain.com/rpc (where host.domain.com is the name on the SSL certificate). If you get an SSL certificate prompt, then this feature will not work.

        3. Authentication settings on the /rpc virtual directory. Ensure that both basic and integrated authentication are enabled. DO NOT enable anonymous authentication.

        4. Registry settings. If you are not in an FE/BE scenario then you have to set the registry by hand. A single missing semi-colon can cause the who feature to fail. There are a number of opinions on the registry settings required. My version of the settings are here: http://www.amset.info/exchange/rpc-http-server.asp
        Remember that you also have to make the domain controller change - whether Exchange is installed on a DC or not. If Exchange is on a member server then the change needs to be made on the domain controller.


        Finally, test it internally first, on a machine that is a member of the domain. Prove that works inside your firewall in the ideal conditions before trying it outside the firewall and/or on a non-domain member.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: RPC over HTTPs fails

          1. Single server, domain controller, Windows 2003, Exchange 2003.

          2. SSL checks out OK, no certificate prompts. I do get the unending authentication prompts. I also know this is OK, because if I use the -B flag, and enter a non-matching msstd, I get the 1722 "can't login" error. If I enter the correct SSL subject, I get the 1818 error.

          3. I've tried both just basic and basic+integrated with no success. Anonymous isn't running. What about NTFS permissions on that folder?

          4. I've gone over these registry settings a bazillion times. All semicolons are in place, and all values are there. I know this is OK because if I try to rpcping with an incorrect server name, it 1722 fails. The NTDS parameter is there as well.

          I know all the configuration is working, because if anything is wrong, I get the 1722 error. When it's all right, it simply doesn't. Guess it's time to contact Microsoft support. bummer.

          Comment


          • #6
            Re: RPC over HTTPs fails

            RPC over HTTPS either works or it doesn't. No half measures.
            You shouldn't need to touch the NTFS permissions.

            On two previous occasions I have been brought in to fix a previous attempt to resolve non-working RPC over HTTPS and in both times the same fix has worked.

            Remove the RPC Proxy component, iisreset, reinstall the RPC Proxy component. Then set everything up using my own registry settings. On average I can have RPC over HTTPS working in less than 30 minutes, including time to get the certificate.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: RPC over HTTPs fails

              Great! Reinstalling the RPC component fixed it!

              And here's why, it has to do with the Rpc virtual folder in IIS: I need the RPC folder in a different website, and I've now found that manually creating it doesn't work, but copying via configuration file does.

              I had manually created the Rpc folder, pointing it to the proper location, setting access to Log and Index only, Execute permission to Scripts and Executables, removing anonymous and setting Basic only, and requiring 128-bit SSL. It looks just like the default folder.

              However, when I export both the manually-created folder and default folder to config files, and compare, this difference breaks the manual one:

              IIsWebVirtualDir UploadReadAheadSize="0"

              When this exists, it works fine.


              This was also different, but didn't seem to matter:

              IIsWebVirtualDir AccessFlags
              - manual folder: "AccessExecute | AccessScript"
              - default folder: "AccessExecute"

              The default folder also has a whole additional child node under the IIsWebVirtualDir, but it didn't seem to matter that it was missing:

              <Custom
              Name="win32Error"
              ID="1099"
              Value="0"
              Type="DWORD"
              UserType="IIS_MD_UT_SERVER"
              Attributes="INHERIT"
              />

              Bottom line: if you need the RPC folder in a website other than the default, copy via config file (new in IIS 6), and it'll work great and save you hours of needless frustration!

              Comment


              • #8
                Re: Thanks for sharing

                Thanks for sharing your answer with us! I'm sure others will also benefit from knowing what was wrong and how you fixed it.

                Cheers,

                Daniel Petri
                Microsoft Most Valuable Professional - Active Directory Directory Services
                MCSA/E, MCTS, MCITP, MCT

                Comment


                • #9
                  Re: RPC over HTTPs fails

                  Huh I have a problem too...

                  Same scenario, but with difference that I had all setted up, everything worked like charm and some day just stopped working...

                  The only error I can find is certificate (it prompts a cert security while connecting to https://my.domain.net)..

                  But it is the same cert that all worked on...


                  Now, when I try to connect from my home machine outlook prompts for password and the most interesting thing that I notice is, that until I enter the right domain credentials It wont let me pass trough... And when I enter the correct username and password It lets me trough, but then fails with message ("The connection to the microsoft exchange is unavailable. Outlook must be online or connected to complete this action.)

                  I would be glad if you can help me reestablish my connection over HTTPS again!


                  Thanks!

                  Comment


                  • #10
                    Re: RPC over HTTPs fails

                    The certificate prompt will cause RPC over HTTPS to fail.
                    When you get the prompt - which element has failed? There are three.
                    It could be something as simple as the certificate has expired.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: RPC over HTTPs fails

                      nope certificate is valid until 2016...

                      Can u advise me how to create perfect certificate by my own (we have cert authority and everything), so that I won`t get those messages any more?
                      Maybe its just this whats bothering it...


                      Thanks!

                      Comment


                      • #12
                        Re: RPC over HTTPs fails

                        The first thing I always suggest is do not use your own certificate authority. That complicates the deployment significantly. Purchase a commercial certificate and you do not need to worry about importing root certificates and the like in to the clients.

                        GoDaddy's US$20 certificates are fine - and they are trusted by Windows Mobile without having to install anything.

                        What is it prompting over? If you fix that then that may well resolve your problems.

                        Simon.
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment


                        • #13
                          Re: RPC over HTTPs fails

                          Its in slovene but still, you will know what I mean...




                          This is probably whats causing it to fail...

                          Comment


                          • #14
                            Re: RPC over HTTPs fails

                            Is that firefox?

                            Use Internet Explorer, as that tells you exactly which element has failed.

                            There are three...
                            From the top

                            Trust
                            Date
                            Name

                            Simon.
                            --
                            Simon Butler
                            Exchange MVP

                            Blog: http://blog.sembee.co.uk/
                            More Exchange Content: http://exchange.sembee.info/
                            Exchange Resources List: http://exbpa.com/
                            In the UK? Hire me: http://www.sembee.co.uk/

                            Sembee is a registered trademark, used here with permission.

                            Comment


                            • #15
                              Re: RPC over HTTPs fails

                              huh I can`t belive my eyes...

                              I tried on 4 different computers, with IE there is no certificate error, no prompting no nothing...

                              So that means that cert is OK ?

                              Now I`m confused....

                              Comment

                              Working...
                              X