Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Open issue: RPC OVER HTTPS (cert problem)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Open issue: RPC OVER HTTPS (cert problem)


    I've posted this issue before but now I have more information.

    i have two questions:


    I have one exch 2003(without sp1) server which is also the dc (2003 server+sp1).
    client: xp+sp1 outlook 2003+ sp1
    I didn't install sp1 for exchange because last time I installed the server didn't came up from restart. Furthermore the rpc over http doesn't require sp1 for exch. (but I will try to install it again next time when I will have a rollback option).

    I followed the articles:

    Configure SSL on OWA
    Configure RPC over HTTP/S on a Single Server
    Configure SSL on Your Website with IIS
    Configure Outlook 2003 to use RPC over HTTP/S
    Testing RPC over HTTP/S Connection

    I've already implemented ssl with owa ( i used 3rd party ca(startcom)
    but which is unknown to the clients, until i had it myself, i didn't
    use my own ca because of security matters)


    Configured Exchange to use RPC over HTTP/S.

    Configured the RPC virtual directory in Internet Information Services.

    Configured the RPC proxy server to use specific ports.
    (did all the changes necessary to exch without sp1)

    Configured the client computers to use RPC over HTTP/S

    I'm trying to access from the lan
    outlook.exe /rpcdiag

    i see it still uses the tcp/ip
    i tried to do it by force (only caused troubles, the esm didn't run)

    when trying to connect through wan i get the logon box(where i need to
    enter the user/password)

    and i get a message that the exchange server is unavailable(while i
    know it is up)

    kill me i dono i followed all the steps carefully.

    2. one more problem is when i'm trying to connect simply by outlook
    from the wan(without using ssl and all that stuff) to my exch server
    i'm entering my exch server(external fqdn) on the profile
    configuration and it doesn't work , only ip but when i use owa from
    wan there is no problem in resolving names(dns seems to work fine)
    furthermore, when i complete the profile wizard i'm trying to connect
    and i get the user/password box(because im entering from a computer
    which is not part of the domain) and everytime i insert the
    cardentials, the box jump back like if there is a problem with the
    I'm sure my user / password is correct

    when i enter the server to iis admin->default web site ->properties ,
    i view the cert and see yellow exclamation mark on the certificate. it
    said "windows does not have enough information to verify this
    certificate" , and when i enter with the client to owa using ssl ,
    although i use the startcom cool link in order to install the cert to
    the client , i continue to get the yellow green message (as you call
    it) and the error is "The name on the security certificate Is invalid
    or does not match the name of the site" . and thats after i've
    imported the cert to the trusted root both on the server and the
    client. further more i used in the common name so
    whats the problem.??? how can i fix this issue? do i need to use my
    own ca???


  • #2
    Re: Open issue: RPC OVER HTTPS (cert problem)

    hi buddy,

    I am one of you, i am also facing these same problem from last two weeks, Mr. Daniel we badly need your help on this comments please.



    • #3
      Re: Open issue: RPC OVER HTTPS (cert problem)

      The message about the certificate not being recognised means that the root certificate isn't on the server.
      I don't believe that StartCom root certificates are installed on servers or workstations natively, so would fail the certificate checks.

      If you browse to https// (where is the name on your certificate), do you get a username and password prompt? Do you get a certificate prompt?

      If you ping (again where is the name on your certificate) do you get a response from the internal IP address of the Exchange server?

      The key thing is to check that it works inside first.
      The second thing is to ensure that you don't get any certificate prompts when browsing.

      RPC over HTTPS is very sensitive - a single semi colon or other error can cause the feature to fail.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: Open issue: RPC OVER HTTPS (cert problem)

        When I surf https// from the lan get the certificate prompt about the name( being different and all)
        from the wan I dont get a reponse to ping because I have checkpoint vpn+firewall
        and from the lan the dns doesn't know the record but it has a mx record for the internal fqdn.
        Listen , I've now removed startcom cert from default web site and built my own ca.
        I followed the article of msexchange step by step and add the files .crt and .cer to the trusted ca root. now, I still didn't check rpc over https because conneecting through owa still prompts errors and like you and others said it needs to be perfect access before trying the rpc method. The sign I had before when I choosed to view the cert on the default web site disappear , but the clients still get the cert warning. now they dont get exclamation mark but instead the get a red X. why???
        furthermore when I configured the cert I used for both "issued by" and "issued to" common names.(but it supposed to be like that, no?)



        • #5
          Re: Open issue: RPC OVER HTTPS (cert problem)

          To get the name working inside you need to configure split DNS. This is well documented on the web site. I also have a document on my own.

          There is a bug in RPC over HTTPS where it doesn't detect where it is very well.
          In theory you are supposed to be able to set the feature to use RPC over HTTPS when it is outside of the LAN and then TCP/IP when it is inside.
          In practise, it is easily confused by home networks, so I set it to use RPC over HTTPS for all types of connection . That then means it needs to be able to connect when on the LAN.

          The other reason that I ask people to set it up to work in this way is so that you can test the feature without a firewall being in the way. If it doesn't work inside, then it will not work outside either.

          Using your own certificates is just as bad as the StartCom certificates - they are not trusted by the systems natively. Each client deployment would involve importing the certificate on to the client first, then configuring the feature.
          When the certificate expired, you would then have to visit every client once again.

          For this reason, I only deploy the feature using a commercial certificate that is trusted by the machines without any changes. I tend to use RapidSSL StarterSSL as they are only $69 a year.

          Sort out how you are going to access the web server first, and get that working. Until you do that, you cannot even start to look at Outlook.

          Last edited by Sembee; 15th July 2011, 12:33. Reason: URL Correction
          Simon Butler
          Exchange MVP

          More Exchange Content:
          Exchange Resources List:
          In the UK? Hire me:

          Sembee is a registered trademark, used here with permission.


          • #6
            Re: Open issue: RPC OVER HTTPS (cert problem)

            Dear simon,

            Lets put all the theory aside for a sec.
            Lets put the rpc over https aside too.
            and put aside all the IT and administration cost of deploying an unknown cert.

            very simple - OWA with ssl

            If i have configured my own ca. followed the steps, used good configuration, authorized my own ssl cert. applied the cert on the default web. insert the cert manually to the trusted root.
            now entering lan/wan whatsoever , after getting the first warning about the cert in the first login, and after installing it (from the padlock) and manually insert the cert to trusted ca root in the client? why do i still getting the warning and the message " The certificate cannot be verified up to a trusted certification authority"

            why the hell, it doesn't work?
            would you like to log in to my net tomorrow and give it a try
            Last edited by kopal; 4th July 2006, 18:47.


            • #7
              Re: Open issue: RPC OVER HTTPS (cert problem)

              I FIGURED IT OUT,
              IT IS WORKING

              AFTER reading so many articles, and eating alot of dirt

              First of all, CERTIFICATION ISSUES

              I solved it by using my own CA followed the msexchange article.
              it solved me the error on the certificate from the server side.
              on the client I still had problems; so I 've installed it manually and inserted it to the trusted ca root. (The strange thing is : it took a day until the next morning I came and there weren't any errors on the certificate all the way up in the cert path.- you can check it out by pressing the padlock on the explorer)
              First of all you have to be sure owa with ssl works fine(implement owa with ssl is part of the implementation of rpc over https because you use the cert on the default web site all the way down to the rpc virtual directory). rpc is sensitive to cert issues not like owa which you can procced working.
              If you trying to connect through LAN the cert warning message will appear because you use internal fqdn ( and name u use isn't match to the name of the common name u used on the cert ( (3rd problem on the message)
              If u fixed the errors of the cert , you should try to connect from the wan
              to owa and if no warning appear , you are on the right track.

              Second, when you configure the outlook profile you must be very carefull and don't uderestimate the article. sometimes you read it very fast and you say to yourself "it is piece of cake" and then you miss some of the "pay attention noths " like I did.

              well I told you that I have a problem while fixing up the profile. the client can't resolve when entering the exchange server name, and one more problem is when you finish to configure it(the wizard doesn't tell you there is a problem in the configuration) and you try to enter user and password in the login , the cardentials message jumps back, well thats because when I've entered the "exchange server name" in the text box, I thought "ha simple, I know; it's" but NO
              you should use the internal name of the server - NETBIOS NAME (server name).

              I think it makes sense, because when you reach the rpc proxy it forwards your request to the exch server and it uses the name u insert in "exchange server name" text box, but it doesn't know what is , it knows only the internal name, NETBIOS NAME.

              other configuration should be the same (I mean url of exchange proxy- >mail.domain .com)

              so, I want to say thanks for all the guys who helped me
              you're the best.