No announcement yet.

Another RPC over HTTP/S problem....

  • Filter
  • Time
  • Show
Clear All
new posts

  • Another RPC over HTTP/S problem....

    I think it's time for me to post this as i'm in a 2 day journey reading and searching a solution on this problem. Been there done that (Sembee,Petri,msexchange,amset,experts-exchange,google) i have read all those tutorial guides, problems similar to mine and the like.

    Anyway here's what i got:

    1. Windows 2003 Enterprise R2 with SP2 (This is my DC and GC)

    2. Exchange Server 2003 Standard with SP2 installed on a Win2k3 Standard R2 with sp2 OS (IIS, RPC-HTTP set to BE, Domain Member, RPC Proxy and SSL cert)

    3. Got my certficate signed with STARTSSL(Free SSL service trusted by microsoft and all browsers).

    4. ISA Server 2006 is installed infront of Exchange (RPC over HTTP(s),OWA,SMTP,OMA is publish here with SSL)

    5. In contrast with SMB's guide i got a "Separate Exchange and Domain
    Controller Configuration

    6. A Windows XP SP3 with Outlook 2007 installed client for testing internal RPC over HTTP connectivity.

    Now my problem is guess what? just like everyone had experienced... i can't get it to work RPC over HTTP(s) both internally and externally. Let me outline the steps/workarounds i did so far.

    1. RPC Proxy 2 prerequisites which was the registry entries to be configured on
    the DC/GC and in my exchange server. I did all that using SEMBEE's tutorial and i think all goes fine as i am receving the right output on RPCCFG /hd. Please see below

    2. SSL certficate is correctly installed on the IIS.
    a. Require secure channel has been selected both the Default site and the
    RPC/RPCcert virtual Directory.
    b. Ignore client cert has been selected.
    c. Anonymous access is been disabled in the RPC Virtual Directory
    d. Integrated Windows and Basic Authentication has been set along with the
    DEFAULT DOMAIN which in my case is ""

  • #2
    Re: Another RPC over HTTP/S problem....

    3. Testing RPC over HTTP(s) connectivity with
    Below are the result.

    Testing RPC/HTTP connectivity.
    The RPC/HTTP test completed successfully.

    Test Steps

    Attempting to resolve the host name in DNS.
    The host name resolved successfully.

    Additional Details
    IP addresses returned:
    Testing TCP port 443 on host to ensure it's listening and open.
    The port was opened successfully.
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.

    Test Steps

    Validating the certificate name.
    The certificate name was validated successfully.

    Additional Details
    Host name was found in the Certificate Subject Common name.
    Certificate trust is being validated.
    The test passed with some warnings encountered. Please expand the additional details.

    Additional Details
    ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.

    Additional Details
    The certificate is valid. NotBefore = 11/20/2010 2:45:21 PM, NotAfter = 11/21/2011 6:31:13 PM
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn't detected.

    Additional Details
    Accept/Require Client Certificates isn't configured.
    Testing HTTP Authentication Methods for URL
    The HTTP authentication methods are correct.

    Additional Details
    ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
    Testing SSL mutual authentication with the RPC proxy server.
    Mutual authentication was verified successfully.

    Additional Details
    Certificate common name matches
    Attempting to ping RPC proxy
    RPC Proxy was pinged successfully.

    Additional Details
    Completed with HTTP status 200 - OK
    Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server
    The endpoint was pinged successfully.

    Additional Details
    RPC Status Ok (0) returned in 571 ms.
    Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
    The NSPI interface was tested successfully.

    Test Steps

    Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server
    The endpoint was pinged successfully.

    Additional Details
    RPC Status Ok (0) returned in 86 ms.
    Testing NSPI "Check Name" for user [email protected] against server
    Check Name succeeded.

    Additional Details
    DisplayName: Exchange Administrator, LegDN: /o=CONCENTRIX/ou=First Administrative Group/cn=Recipients/cn=exnimda
    Testing the Referral service on the Exchange Mailbox server.
    The Referral service was tested successfully.

    Test Steps

    Attempting to ping RPC endpoint 6002 (Referral Interface) on server
    The endpoint was pinged successfully.

    Additional Details
    RPC Status Ok (0) returned in 977 ms.
    Attempting to perform referral for user /o=CONCENTRIX/ou=First Administrative Group/cn=Recipients/cn=exnimda on server
    ExRCA successfully got the referral.

    Additional Details
    The server returned by the Referral service:
    Testing the Exchange Information Store on the Mailbox server.
    ExRCA successfully tested the Information Store.

    Test Steps
    4. I can't get my internal client to access RPC over HTTP(s) both the htts://exchangeserver/rpc url and the Outlook. Windows Authentication keeps on poping up even though i'm entering a correct credentials and after 3 consecutive retries IE returns and error HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource. I tried to reinstall the RPC proxy and still fails.

    5. On the internal client side once i test an outlook /rpcdiag the connection status says im connecting through HTTPS and now an authentication box pops out and i entered my DOMAIN\user and still this fails to authenticate its keeps on poping out even though i entered a correct credentials.

    Am i missing something? As far as i know im in the correct path i dont know where i got messed up.

    Hoping for you usual assistance. Thanks


    • #3
      Re: Another RPC over HTTP/S problem....

      The error when browsing to the directory is normal.
      While StartSSL is trusted by Microsoft, it is only trusted if the client is getting root certificate updates. Outlook cannot cope with certificate prompts and the authentication prompt is the classic side effect of that.

      The other cause is an authentication mismatch - so you have integrated authentication enabled on the virtual directory and basic enabled in the client. Or worse - you have anonymous enabled on the virtual directory.

      Finally it might be an issue with ISA server. I can't help with that as I prefer to use a real firewall.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: Another RPC over HTTP/S problem....

        hmmm..... i don't get any certification prompts while browsing the rpc url https://exchange/rpc internally no prompt means the certificate is already trusted right? and upon checking on the Trusted Root Cert's on my client's pc STARTCOM CA is already there.

        As for authentication, as i check only the default web site has the ANONYMOUS login checked, i tried changing it to use integrated and basic authentication but it makes no difference at all still got endless authentications popups. Anyway do i need to modify also the properties of RPCwithCert directory or just the RPC?

        Currently i'm testing the connectivity internally so ISA has nothing to do with those errors im getting on the OUTLOOK client.


        • #5
          Re: Another RPC over HTTP/S problem....

          Finally...... Got it working!!!!

          Im not sure but i think the culprit was the certificate trust on my GC&DC STARTCOM SSL was'nt on the TRUSTED CA. I tried browsing the rpc url on this machine and got an error that it wasn't trusted and cannot locate the certificate authority. I then tried to set an internet access outbound on this machine through the ISA server so it can communicate with STARTCOM CA. Now my GC/DC can validate the cert. Going back to my internal Outlook Client i then tried to connect via RPC over HTTPS and BOOM! it connects via HTTPS with just authenticating once.

          Second, i played with the authentication methods on the Default Web Site in IIS. What i noticed is once i changed the default setting (which was in my case the Anonymous access was enabled as default after installing Exchange) from Anonymous access to Integrated and Basic Authentication, the endless authentication prompt problem disappears and i can logon by just typing once. Weird as this wasn't discussed by any guides/tutorials/articles on the internet.

          As of now my internal RPC over HTTPS is working i'll try my external client later when i got home and i'll provide you feedbacks.



          • #6
            Re: Another RPC over HTTP/S problem....

            Tested my external client via my DSL line at home seems to work just fine. Connection is so smooth it's like i'm just authenticating inside my internal LAN .


            Thanks for citing out the certificate and authentication problem possibilities. helped me big time!!!

            Your a GAWD!!!

            Thank you so much!!!!!