Announcement

Collapse
No announcement yet.

RPC over HTTP - Authentication issues ISS->Firewall->SBS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RPC over HTTP - Authentication issues ISS->Firewall->SBS

    Hi there

    I've got the same issue as so many others! I can't logon onto the Exchange Server using RPC over HTTP. The IIS Log shows 401.1 Errors.

    I'm not sure, if I made some mistakes in configuring RPC over HTTP, or if just my Scenario doesn't work this way.

    Setup (short version)

    DMZ
    StandAlone Win Server 03 R2 SP2
    Workgroup: HOME
    IIS and RpcProxy enabled
    Not an Exchange FrontEnd Server

    LAN
    Win SBS 2003 R2 SP2 (DC/GC)
    Domain: MYDOMAIN

    I read in another forum, that it should be possible to set up IIS as RpcProxy without Exchange installed on it. But since I couldn't find any HowTos for this scenario, I'm really not sure if this works.

    But probably I should give you a more detailed view on my setup:

    Setup (longer version)

    DMZ
    StandAlone Win Server 03 R2 SP2
    Not an Exchange FrontEnd Server
    NetBiosName: webserver
    Workgroup: HOME
    HOSTS Entry for mailserver.mydomain.local
    LMHOSTS Entry for mailserver
    IIS enabled
    - 3rd party Certifacate (Thawte) installed
    - external FQDN: intranet.mydomain.com
    - 3rd party Apps: Progress OpenEdge WebClient
    - HTTP on Port 80
    - HTTPS on Port 443
    RpcProxy enabled
    - Anonymous access disabled
    - Integrated Windwos authentication enabled
    - Basic authentication enabled
    - Default Domain: (empty)
    - Require SSL and 128-bit encryption enabled

    MSExchangeIS and MSExchangeSA Paramters:
    Since Exchange is not installed on webserver, they are missing. Added them once manually,
    without any success.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy \ValidPorts
    mailserver:6001-6002;
    mailserver.mydomain.local:6001-6002;
    mailserver:6004;
    mailserver.mydomain.local:6004;
    mailserver:593;
    mailserver.mydomain.local:593;
    intranet.mydomain.com:6001-6002;
    intranet.mydomain.com:6004;
    intranet.mydomain.com:593

    rpccfg /hd
    intranet.mydomain.com........593 6001-6002 6004
    mailserver.........................593 6001-6002 6004
    mailserver.mydomain.local....593 6001-6002 6004

    LAN
    Win SBS 2003 R2 SP2 (DC/GC)
    NetBiosName: mailserver
    Domain: MYDOMAIN
    internal FQDN: mailserver.mydomain.local
    Exchange configured as RPC-HTTP Back-End Server

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters
    NSPI interface protocol sequences set to ncacn_http:6004

    MSExchangeIS and MSExchangeSA Paramters in Registry are set. (I'm not sure on which server
    this have to be configured!)

    netstat -a | find "600"
    TCP mailserver:6001 mailserver.mydomain.local:0 LISTENING
    TCP mailserver:6002 mailserver.mydomain.local:0 LISTENING
    TCP mailserver:6004 mailserver.mydomain.local:0 LISTENING



    Firewall
    WAN->DMZ: Portforwad for 80 and 443 to webserver
    DMZ->LAN: pass-through for Ports 593,6001,6002,6004
    LAN->DMZ: pass-through for all Ports


    Outlook Client
    Microsoft Exchange Server: mailserver.mydomain.local
    Exchange Proxy Settings -> URL: intranet.mydomain.com
    Connect usind SSL only enabled
    On slow networks[...] enabled
    Basic Authentication enabled


    Testing RPC
    rpcping is only successfull (DMZ and WAN), when I use the webserver Administrator credentials for Argument -P
    and the SBS User Credentials for Agrument -I. If I use for both Arguments the SBS User Cerendentials, I get an 401 Error.

    (rpcping -t ncacn_http -s ExchServer -o RpcProxy=RPCProxyServer -P "user,domain,*" -I "user,domain,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none)


    Can someone tell me, if this setup is working at all or if there's something wrong in my configuration?

    Thanks in advance

    domi

  • #2
    Re: RPC over HTTP - Authentication issues IIS->Firewall->SBS

    Sorry!

    The Title is wrong! It's IIS of course, not ISS. My servers aren't in space! Yet!

    domi

    Comment


    • #3
      Re: RPC over HTTP - Authentication issues ISS->Firewall->SBS

      The configuration you have is not going to work.

      IIS on its own cannot do anything with the RPC Proxy component. Something else has to work with it - Exchange usually.
      If you want to put something in the DMZ then it will have to be an ISA server.

      Basically the machine in the DMZ and the settings you have done on it were a waste of time.

      Next - this is SBS. You should not have configured anything manually. The only way to configure features in SBS is to use the wizard. You will have to re-run the wizard again to get correct the settings.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: RPC over HTTP - Authentication issues IIS->Firewall->SBS

        Lessons learned: Next time ask first then try it!

        Damn! I almost knew that this was gonna happen!

        I assumed that the RcpProxy connects to Exchange without needing any other applications (Exchange FE or ISA) running on the same server.

        Most of the settings I made, was on the IIS. On SBS I changed only the RPC-HTTP settings in the exchange system manager. So therefore not much work to do on the SBS, I think.

        Thanks

        domi

        Comment


        • #5
          Re: RPC over HTTP - Authentication issues ISS->Firewall->SBS

          You shouldn't have even touched the setting in ESM.
          SBS should be treated as an appliance - do not change things manually, do everything through the wizards. The problems start when you try to set things manually.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: RPC over HTTP - Authentication issues IIS->Firewall->SBS

            It's working!!!

            No need to have Exchange or ISA running on the RpcProxy.

            Reread some MS Technet paper thoroughly. Until then I didn't get that Outlook passes two authentications until a connection to the Exchange server is established. First on the IIS to get access to the RPC Folder and second on the Exchange Server to get access to the Mailbox.

            Due to the fact that my IIS is on a StandAlone Server there was no way, that IIS could verify the Crendentials it received from Outlook to grant access to the RPC Folder. So Outlook was rejected.

            I just had to creat a User on the RpcProxy with the same Username and Password like on the SBS to get it to work.

            I didn't test it and I probably won't do it, but I think the next step would be adding the IIS Server as MemberServer to the SBS Domain. Like this IIS could check the SBS for the right Credentials.

            Domi

            Comment


            • #7
              Re: RPC over HTTP - Authentication issues ISS->Firewall->SBS

              I have to say that I don't think you are using it in a supported configuration. I have been working with Exchange for some time, with RPC over HTTPS since it was first released and this is the first time I have heard of anyone using a regular IIS machine in a DMZ with the feature.

              The administration load that this will cause is quite large. If there needs to be a matching username and password then how does that improve your security? It does not. The DMZ machine can get compromised and then the attacker knows what the usernames and passwords are in the production network. You cannot use expiring passwords because that will break email for remote users until you manually update the password on the standalone server.

              While you may have a solution working, I don't consider it to be a very good solution and it is not something I would be recommending to anyone else to do.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: RPC over HTTP - Authentication issues IIS->Firewall->SBS

                Don't get me wrong, I wouldn't recommend it as well. Now that I know more about it.

                But still, am I missing something? Why should it be safer to set up the "RPC over HTTPS on a Single Server Scenario" on a SBS Standard and opening Ports on the Firewall directly into the LAN, than my setup? I didn't place the IIS in the DMZ just to use it with RPC over HTTP. The main purpose of the IIS is something else. I'm not publishing Websites on the internet with it. I put the RpcProxy in the DMZ because I've got already a Certificate on that server. So I didn't need to buy another one.

                And in my case, the administration load shouldn't be a problem with only 3 users... I've got a very very small network here.

                I know, there is still a security issue with the IIS in the DMZ and not using ISA or similar. But for other reasons, I can't make it more secure. At least, right now.

                Domi

                Comment


                • #9
                  Re: RPC over HTTP - Authentication issues ISS->Firewall->SBS

                  Why do you think putting anything in the DMZ makes the deployment more secure? All you are doing is moving the attack surface. IIS cannot actually defend itself, the traffic is still going to come in and be passed to the server, so how does that make things better than opening direct? It doesn't.

                  If something like ISA was used, which can actually inspect the packets and ensure that they are what they should be, then you have an advantage to using something in the DMZ. As it stands now all you have done is added another layer of complexity for very little, if any, gain.

                  I have no problem with directly exposing Exchange to the Internet with just port 443 and 25 open. Of the two, port 25 is attacked more than 443 as that is the one spammers want to use.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: RPC over HTTP - Authentication issues IIS->Firewall->SBS

                    I'm sorry if there is a missunderstanding. English is not my mother tongue. Perhaps my translation aren't the best.

                    I didn't want to say, that my scenario is safer than yours. Of course it's better to use ISA when you open up your network to the internet. But I think in my case (without ISA) it dosen't matter if IIS is in DMZ or LAN. I didn't put the IIS in DMZ for security reasons. Porbably I shouldn't have mentioned DMZ after all. It's more like an network segmentation. On the LAN I've got serveral Network segments and one over VPN, which aren't allowed to "see" each other but they have to connect to the IIS. But since the IIS is plugged into the DMZ port of the Firewall, I mentioned it as DMZ. Perhaps it's not very usual to have a setup like this. But this way the Network Segments can share the IIS and the Internet Connection (outgoing) with only one Firewall and one Switch. And with the RPC over HTTP feature I don't have to open up ports between the segments. It doesn't matter anymore to which segment my Notebook is connectet.

                    Domi

                    Comment

                    Working...
                    X