RPC over HTTP/S Error 401.3 after Windows 2003 SP1

Error message 401.3 when setting up RPC over HTTP/S on Exchange 2003, after installing SP1 for Windows Server 2003

RPC over HTTP/S is a cool method for connecting your Outlook 2003 client to the corporate Exchange Server 2003 from the Internet or WAN, without the need to establish a VPN session to the corporate LAN and/or needing to open many ports on your corporate firewall. The only ports you’ll need to open on your firewall are TCP 80 and, if using SSL, TCP 443.

The process of setting up the RPC over HTTP/S connection is outlined in the Configure RPC over HTTP/S on a Single Server article.

Last week I had to set up such a connection for one of my clients. We followed the exact procedures outlined in the above article, and one of the first steps was to install the RPC Proxy component on the Exchange Server.

After installing the RPC Proxy component one needs to perform some changes on the RPC virtual directory in IIS, and then configure the default web site to use a Digital Certificate (see Obtain a Digital Certificate from an Online Certificate Authority (CA) and Obtain a Digital Certificate from a 3rd Party Certificate Authority (CA) for more info).

After you’ve configured the website to use a certificate you now need to check the availability of the connection by surfing to the RPC virtual directory with Internet Explorer (by going the the https://servername/RPC url), logging on as one of the domain users, and waiting to receive a "normal" error message. The "normal" error message described below is supposed to be an indication that the RPC Proxy is indeed functioning correctly:

HTTP Error 403.2 – Forbidden: Read access is denied.

rpc over http error3 small

As a side note, I am aware of the many installation scenarios for the RPC over HTTP/S connection, however in that specific instance, my client only had one Exchange Server 2003 (installed on Windows Server 2003), and no ISA or Front End Exchange server.

Before installing the RPC Proxy component we decided it’s about time to update the server with the latest Service Pack, and in this case – it was SP1 (the last and only SP available for Windows Server 2003 – see Download Windows 2003 SP1).

I’ve done this many times, however unknown by me at that time, it seems that Windows Server 2003 SP1 changes something in how the RPC Proxy mechanism is integrated with IIS, and the first clues for such a potential problem are slowly beginning to surface on the Internet.

One of the visual signs for this change is the fact that when you now try to connect to the RPC virtual directory you cannot seem to be able to log on, even though you’re using a correct username and password, and not even when it’s the administrator’s account.

First, you get the logon pop-up box, and you enter the right username and password:

rpc over http error1 small

But then you get it again, and again, and after 3 times it bombs out with a different error, not the one that you were supposed to receive:

HTTP Error 401.3 – Unauthorized: Access is denied due to an ACL set on the requested resource.

rpc over http error2 small

Naturally, you start looking where you got it wrong. I’m not saying that you can be 100% sure that you did NOT get it wrong. Errors can happen, and typos and syntax errors are more than common. However if you do follow the outlined procedure found in the Configure RPC over HTTP/S on a Single Server article you can be almost sure that you got it right.

From what I found, it seems that this error message does not prevent you from successfully configuring RPC over HTTP/S, and if you follow the outlined procedures found in the above article you will be able to connect your Outlook 2003 client to your Exchange Server 2003 server successfully.

Related articles

You may find these related articles of interest to you:

Links

Exchange Server 2003 RPC over HTTP Deployment Scenarioslink out ico

How to configure RPC over HTTP on a single server in Exchange Server 2003 – 833401link out ico

RPC over HTTP Securitylink out ico

RPC over HTTP Deployment Recommendationslink out ico