Announcement

Collapse
No announcement yet.

RPC over http doesn't work even with a GoDaddy Certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RPC over http doesn't work even with a GoDaddy Certificate

    I'm having a similar problem.

    Some information:

    two servers:

    1 - Exchange 2003 server, all SPs installed, updated. (W2k3 R2, enterprise, 32 bit edition)
    2 - W2k3 r2 DC, (Enterprise, x64 bit edition)

    I went through the setup instructions on Petri, and initially had forgotten to do the GC entry on the DC. Fixed that, and I have followed the instructions. Yet, I cannot connect via RPC over HTTPS using it.

    Some info:

    1) We're using a certified certificate, from one of Go Daddy's subsidiaries. It's installed, and working correctly. Up until yesterday, we were using a self-created SSL cert.. but now, we have a 10 year certificate. Much better, and externally verified. DC was running as a CA, but now uninstalling CA on the DC, and using external SSL only.

    2) The firewall is a Watchguard X5000 appliance. OWA works fine, so ports 80 and 443 are working through the Firewall, and forwarded to the appropriate server. Yet I can't seem to get RPC over HTTPS to work. Do I need to have RPC installed on my DC as well? And do I need to configure RPC similarly to what I did on my exchange server?

    3) I have configured my client on the LAN to use RPC over HTTPS proxy, and when I run outlook.exe /rpcdiag, it's showing me it's using TCP/IP traffic. When I try an external client.. no luck at all. I've tried using the TCP packet filtering.. but to no avail. Doesn't appear that the traffic is working. I have rebooted my DC since the change, as well as the Exchange server.. but still it does not work. Help?

    Any help would be appreciated. thanks.
    Last edited by AndrewR; 7th September 2007, 20:23.

  • #2
    Re: RPC over http doesn't work even with a GoDaddy Certficate

    Post split from where it was because we frown on thread hijacking here. Please don't do that again. Thanks.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: RPC over http doesn't work even with a GoDaddy Certficate

      So if I get it right, when you were using a self-signed cert, all worked well, but since switching to Godaddy's cert, it stopped working?
      Cheers,

      Daniel Petri
      Microsoft Most Valuable Professional - Active Directory Directory Services
      MCSA/E, MCTS, MCITP, MCT

      Comment


      • #4
        Re: RPC over http doesn't work even with a GoDaddy Certficate

        i mean this serious as all hell....

        have godaddy reissue the cert.

        i had a secondary account i work for on the side call me with cert problems.

        the old self made had expired, and the wanted to go with a paid for cert. they went to godaddy and got one...

        they dicked around with the thing for two days, and i finally came in to check it out. i went thru the motions, and the thing was installed correctly...

        so for poops and diddles, i had them resend the cert. ideally, the crc woulda been the same, but it wasnt...

        seems the cert wasnt correct the first time.

        its always the simple stuff sometimes...
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...

        Comment


        • #5
          Re: RPC over http doesn't work even with a GoDaddy Certficate

          You will also find it hard to check if RPC is working internally within your lan, as that was the issue we had.

          Also if you setting up a laptop, the laptop we found must first be connected into your lan or via vpn for the initial outlook setup to be done then move over to RPC

          You will also have to browse to your OWA page and ensure the cert is installed there, if it shows up as having no cert installed you will need to install it into the CA Trusted Root Authority before RPC will work.

          Regards

          Dave

          Comment


          • #6
            Re: RPC over http doesn't work even with a GoDaddy Certficate

            Originally posted by danielp View Post
            So if I get it right, when you were using a self-signed cert, all worked well, but since switching to Godaddy's cert, it stopped working?
            OK. We were using a self-signed cert for OWA. Was ok, but it wouldn't work for RPC-over HTTPS. No big deal.. but now I want to use RPC over HTTPS. So, I went and bought a 10 year certificate from certificatesforexchange.com. That's installed fine.. everything is working nicely now on that end, OWA works with no issues.

            However, RPC over HTTPS does not. Keep getting the server is not reachable.. ideas?

            Comment


            • #7
              Re: RPC over http doesn't work even with a GoDaddy Certificate

              First thing to try.
              From the machine with Outlook installed, browse to https://host.domain.com/rpc (Where host.domain.com is the name on the SSL certificate).
              You should get a username and password prompt. If you get an SSL prompt, then something is wrong. Don't worry about authentication - that will always fail.

              If you don't get anything, then you have to look at more basic things.
              Therefore, next ensure that the name resolves from the Outlook client. This could be an internal IP address if you are on the LAN or an external IP address if outside. It should NOT be an external IP address on the LAN. That will most likely cause things to fail.
              Ideally you should be testing this on the LAN.

              If you are on the LAN, then configure Outlook in the usual way and confirm it works. Then add the additional RPC over HTTPS settings without changing any of the existing configuration for a normal configuration.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: RPC over http doesn't work even with a GoDaddy Certificate

                Originally posted by Sembee View Post
                First thing to try.
                From the machine with Outlook installed, browse to https://host.domain.com/rpc (Where host.domain.com is the name on the SSL certificate).
                You should get a username and password prompt. If you get an SSL prompt, then something is wrong. Don't worry about authentication - that will always fail.

                If you don't get anything, then you have to look at more basic things.
                Therefore, next ensure that the name resolves from the Outlook client. This could be an internal IP address if you are on the LAN or an external IP address if outside. It should NOT be an external IP address on the LAN. That will most likely cause things to fail.
                Ideally you should be testing this on the LAN.

                If you are on the LAN, then configure Outlook in the usual way and confirm it works. Then add the additional RPC over HTTPS settings without changing any of the existing configuration for a normal configuration.

                Simon.
                Simon,

                Thanks for the tips. The cert is successfully installed...now comes the fun part.

                The name resolves on the lan just fine.. but on the outside world, not so much. It's really quite odd... I just can't seem to get it to work. When I start up Outlook with /rpcdiag, I'm not able to connect. On the LAN, it seems to ignore the HTTPS and just connects on TCP. On the WAN.. well, it seems to not work on the WAN either.

                I have a laptop that has been synched once on the lan without RPC... but I can't seem to connect. I have noticed also that it is very slow to connect period... any suggestions?

                Comment


                • #9
                  Re: RPC over http doesn't work even with a GoDaddy Certificate

                  The delay is almost certainly the failover. Outlook trying to connect to https, failing and then going to TCP/IP. Therefore you need to look at why that is happening.
                  Classic reasons are name resolution and proxy use. Don't forget that name resolution internally should resolve to the internal IP address of the server, not the external. While the external can work, it is not reliable and most firewalls will block the traffic.

                  Concentrate on getting it to work on the LAN first. Once you have it working there, then move on. My guide: http://www.amset.info/exchange/rpc-http.asp

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: RPC over http doesn't work even with a GoDaddy Certificate

                    Hopefully I'm not missing anything from the previous posts, but do you have an external DNS A or CNAME record that points to the common name on the cert (webmail.domain.com, etc.)? If so, does the DNS record resolve to the public ip address that you're NAT'ing to your internal Exchange server ip address?

                    Have you verified that you have the following registry values on your Exchange server, making sure you have the appropriate NetBios and FQDN names in the key?

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
                    "Enabled"=dword:00000001
                    "ValidPorts"="SERVERNETBIOSNAME:6001-6002;SERVER.INTERNALFQDN.COM:6001-6002;SERVERNETBIOSNAME:6004;SERVER.INTERNALFQDN.CO M:6004;"
                    Last edited by joeqwerty; 12th September 2007, 02:05.

                    Comment

                    Working...
                    X