Announcement

Collapse
No announcement yet.

Exchange 2003 RPC/HTTPS, SSL, CA Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 RPC/HTTPS, SSL, CA Problem

    Hi everyone, this is my second attempt at playing with RPC HTTPS and I am stuck. Hopefully someone can shed some light on this to help a frustrated soul.

    Here is what I have done so far.

    Windows 2003 SP2
    Exchange 2003 SP2
    External IP address with ports 80 & 443 open
    Used GUI with correct server name/fqdn/port
    IIS for SSL (working)
    Installed CA on server (working)

    On the client, i can access https://exchange.domain.com/exchange (working)
    accepted the CA certificate, and install/import into the Trusted Root Authority
    For Outlook, i am using exchange over the web, SSL/clear text, but it's NOT connecting. When prompted for the username/password, i used domain.com\administrator when i hit check name it doesn't give me the underline normally when you connect to Outlook.

    Can someone please help?! I am at a total lost of this. I am doing this on the second VM because I thought something was screwed up on the first one.

    I'd be eternally greatful if you can help me fix this!

  • #2
    Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

    i don't know if this is a problem of appears on all IE certificates, but when I access https://exchange.domain.com the Security Alert comes up, says

    (Green check)Security certificate is from a trusted certifying authority
    (Green check)The security certificate date is valid
    (yellow exclamation)The name on the security certificate is invalid or does not match the name of the site

    I've noticed the Issue to: exchange - should this be exchange.domain.com

    Comment


    • #3
      Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

      Certificate prompts are a hard failure for RPC over HTTPS. Therefore if you getting prompt then it will never work.
      I also never recommend the use of home grown certificates - only commercial certificates. I don't know how long you have spent trying to get this feature to work, but a commercial certificate costs US$30/year from http://DomainsForExchange.net/ and is what I would recommend that you use.
      If you want to do a proof of concept, then RapidSSL have 30 day trial certificates that are trusted.

      Let me put this way... I can get RPC over HTTPS to work in less than an hour, including the time to get the SSL certificate.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

        Thanks for the tip on RapidSSL; however, i am back to square one again. Here's what I've done.

        1. I got the CA on my server working, and all workstations accepted the SSL no problem, all green check marks. I've also added CA to the root cert on the workstations; however, i am still having the same problem, in my Outlook client, server: exchange username: administrator i hit check name it does not get the underline, exchange.xxxx.com

        2. I went to RapidSSL, created the cert there, and modified my IIS to use the RapidSSL cert, everything went through no problem, tested it on workstations no problem;however, when i open Outlook, same thing, it will not connect to server, no underline when i hit check name.

        I've followed the guide on petri's site EXACTLY and i just don't know what went wrong.

        Firewall port 443 is open, and points to exchange server correctly.
        Outlook/Exchange works on LAN
        HTTPS and OWA works on workstation/server
        Fully qualified domain name - works

        someone help! there is no reason why this is not working!!! any troubleshooting steps is much appreciated!

        Comment


        • #5
          Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

          RPC over HTTPS fails for one of three reasons.

          1. Certificate not trusted. Remember that there are three elements to the trust - date, name and root certificate. Therefore ensure that you are using the correct information in the Outlook configuration.

          2. Registry settings are not correct. On a single server deployment the registry has to be manually modified for RPC over HTTPS to work. Daniel and I differ on what settings are required. Mine are at http://www.amset.info/exchange/rpc-http.asp

          3. Authentication mismatch. This means you have set the virtual directory to use integrated and have set Outlook to use Basic (or vice versa).

          When I test Outlook RPC over HTTPS, I configure the network so that it works internally and test on that first. Then I take the same machine and test it outside the network.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

            Hi a2d - let me preface by saying that I'm am of the rookie cloth when it comes to talking RPC/HTTP, as I just finished my "2nd" hands-on with an RPC/HTTP installation (today) as well. On this particular implementation, I had RPC working on my test system, but the owner of the company I was doing work for, was not able to get his Outlook to connect using RPC/HTTP.

            One of Simon's archived posts for troubleshooting RPC implementations, was to do an https://exchange.domain.com/rpc command to check if you get a certificate prompt. I had the customer I was doing this work for come into the office to t/s his issue, I issued the above command, and sure enough, he get's a certificate prompt. I did a "view certificate", accepted it, restarted Outlook, and boom...it's now working. (This all running of a 2003 SBS server w/ Exchange SP2 - Client on XP SP2 running OL2K3)

            As to where this step falls into the area of "technically acceptable means of trouble-shooting and resolving this issue", I don't really have a solid technical understanding of the underlying mechanics of how all these processes tie together, but it is now working. I'm new to this account, but the customer has been using Exchange for the last few years, Outlook has worked as it should internally - and they've been using the web interface to access their email remotely up to this point.

            Not sure if this will help you, but that's what got me going on this particular issue.

            Comment


            • #7
              Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

              Hello agree2disagree, I also have the following as you:

              Windows 2003 SP2
              Exchange 2003 SP2
              External IP address with ports 80 & 443 open
              Used GUI with correct server name/fqdn/port
              IIS for SSL (working)
              Installed CA on server (working)



              All the "Petri RPC over HTTP" documentation is for SP1. where did you get info for SP2? you r the only one here I find to be same as me. I also have 3rd party CA installed & running.
              https://mail.mycompany.com running (OWA)
              Please forward any findings this way.
              I am a new-be here, so please excuse my ignorance, trying to comply..
              Thanx

              Comment


              • #8
                Re: Exchange 2003 RPC/HTTPS, SSL, CA Problem

                Nothing changed for RPC over HTTPS between SP1 and SP2 (of either Exchange or Windows). The setup is the same. Therefore everything that you see for SP1 also applies to later versions.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment

                Working...
                X