Announcement

Collapse
No announcement yet.

rpc over http/s problem after server replacement

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • rpc over http/s problem after server replacement

    Hello all,

    i've some problem with rpc over http/s, since when i replaced a broken server. Here the story:
    Original situation
    1 DC sbs (let's call Server1) with exchange and CA
    1 DC W2k3 sp2 (let's call Server2)

    we configured rpc over http/s with our CA, no problems, everything was working fine. Some weeks ago we had problem on server1 disks and we had to replace disks on that server... my customer had some license of W2k3 and Exchange and he decided to not reinstall sbs2003 but to install w2k3 and exchange2k3.
    Installation went good, w2k3 patched to sp2, promoted DC, seized FSMO, reinstalled CA and installed exchange (sp2) with the /recovery option, everything worked fine except rpc over http.
    Actually we still have 2 certificates from old situation:
    1) servername.domain.local
    2)webmail.domain.com

    If i use the certificate #1 owa works, but i receive error on rpc (used testexchangeconnectivity ):
    "Host name webmail.domain.com does not match any name found on the server certificate CN=servername.domain.local" ok, i can understand this:
    certificate have only internal name, not external, so i try to change with certificate #2, and here the thing i can't explain... i receive an error :
    A network error occurred while communicating with remote host
    Exception details:
    Message: Authentication failed because the remote party has closed the transport stream.
    Type: System.IO.IOException
    Stack trace:
    at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ForceAuthentication(B oolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication (LazyAsyncResult lazyResult)
    at System.Net.Security.SslStream.AuthenticateAsClient (String targetHost)
    at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificat eTest.PerformTestReally()

    and with this certificate also OWA does not work anymore. i tryied to create anotehr certificate, same problem. tryeid to generate certificate from another CA that i often use for other customers, but nothing, same problem. The only certificate that make owa works is the servername.domain.local, but this creates me the name problem with rpc

    hope to have been clear enough in my post...
    any ideas?
    thanks
    Piero

  • #2
    Re: rpc over http/s problem after server replacement

    Dump the self generated certificates.
    They simply aren't worth the hassle and time getting to work, installing on clients etc.
    I don't think I have ever used an internal CA, not worth the bother for securing web traffic.

    Get a commercial certificate for US$30/year and it will work shortly afterwards.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: rpc over http/s problem after server replacement

      Going to echo Sembee's sentiments. The time your wasting trouble shooting an internal CA which is more agro that whats its worth you could have purchased a certificate.

      www.startssl.com Do free certificates for a year.

      http://www.instantssl.com/ Commodo also offer free certs for 3 months i believe. As well as free certs for Digital ID's for a year. Thats an investment of zero with a much easier supported configuration with none of the hassle of auto enrolling certificates etc.

      Comment


      • #4
        Re: rpc over http/s problem after server replacement

        i just installed a certificate from instantssl.com but unfortunately i've the same problem: owa does not works anymore and rpc test have this result:
        A network error occurred while communicating with remote host
        Exception details:
        Message: Authentication failed because the remote party has closed the transport stream.
        thanks for helping
        Piero

        Comment


        • #5
          Re: rpc over http/s problem after server replacement

          That would tend to indicate that either you have a bad SSL certificate, something is wrong with the network configuration or something is interfering with the traffic flow. You will have to go through all configuration, looking at things like the SSL certificate, default gateway, subnets etc to try and verify the issue.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: rpc over http/s problem after server replacement

            So, the server running the RPCHTTP stuff - was this the reinstalled server?

            Have you got the RPC packages isntalled?
            Have you checked in the registry and made sure the appropriate options are in there ?(I forget exactly what they are, but I suspect the relevant guides will tell you what to configure, something to do with end points 6001-6004 or something)


            http://www.petri.com/how-can-i-confi...r-scenario.htm
            1. make sure RPCProxy is installed on the front facing web server
            2. ensure the reg keys are set appropriately for the changes in your infrastructure (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi ces\MSExchangeSA\Parameters and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\MSExchangeIS)
            Last edited by tehcamel; 18th October 2010, 14:41.
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: rpc over http/s problem after server replacement

              yes, rpcoverhttp is the reinstalled server, and 6001-6004 ports i configured with rpcnofrontend tool, so should be ok.
              rpc proxy installed

              strange is that with the server.domain.local i can correctly connect to owa from outside the network, while if i change this certificate with commercial one that i did or any other certificate i cannot use owa anymore (from internal and from external).
              Also another information: if i try to use the server.domain.local certificate and do some tests with "testexchangeconnectivity" website, i have error "Host name webmail.domain.com does not match any name found on the server certificate CN=server.domain.local", while if i use any other certificate i have different error

              Comment


              • #8
                Re: rpc over http/s problem after server replacement

                Just noticed that the server running Exhange is SBS - have you run through the wizards to configure RPC over HTTPS access? If you haven't, or haven't assigned the certificates that way, then run through them as the quickest way to breaking an SBS installation is not UTFW. Also, is this SBS Premium with ISA Server?

                I personally do not agree that purchasing a commercial certificate is the best way to go - I will only ever do that if I want to publish resources that are accessible to external clients such as our customer helpdesk system - but that's a personal preference.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: rpc over http/s problem after server replacement

                  Hi Cruachan,

                  no, server was sbs, then disks crashed and we reinstalled on same machine just w2k3 and exch2k3 (all sp2), so originally it was sbs, now it's just a w2k dc

                  Comment


                  • #10
                    Re: rpc over http/s problem after server replacement

                    Originally posted by Piero View Post
                    yes, rpcoverhttp is the reinstalled server, and 6001-6004 ports i configured with rpcnofrontend tool, so should be ok.
                    rpc proxy installed

                    strange is that with the server.domain.local i can correctly connect to owa from outside the network, while if i change this certificate with commercial one that i did or any other certificate i cannot use owa anymore (from internal and from external).
                    Also another information: if i try to use the server.domain.local certificate and do some tests with "testexchangeconnectivity" website, i have error "Host name webmail.domain.com does not match any name found on the server certificate CN=server.domain.local", while if i use any other certificate i have different error
                    The error you have posted is to be expected - that is basically a name mismatch.

                    It sounds to me as if it is either a bad SSL certificate, or ISA server is involved somewhere and something is tied to that self generated certificate.
                    If you had three certificates, getting a connection failed error on one would be ok - broken certificate (it happens). On two, that is too much of a coincidence.
                    The error you have posted above about the closed session means that the SSL session couldn't be established, and is classic SSL certificate issue - as in a problem with SSL itself, not IIS.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment

                    Working...
                    X