Exchange Server Forums

Outlook Anywhere/RPC over HTTP not working Exchange 2007

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2007] >> Mobility >> Outlook Anywhere/RPC over HTTP not working Exchange 2007

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

Outlook Anywhere/RPC over HTTP not working Exchange 2007 - 30.Aug.2007 2:55:31 PM

sfosmire

Posts: 7
Joined: 26.Mar.2007
Status: offline

I posted this to the experts-exchange.com & petri.co.il forums as well. Sorry if that disturbs anyone. This is a brand new installation of Exchange 2007 on a brand new installation of Windows Server 2003 R2 Standard x64 Edition. Single server domain. RPC over HTTP Proxy is installed in Windows. Server is a Certificate Authority, I created a self signed certificate request in IIS, generated the certificate, installed/imported certificate into Exchange, Enabled said certificate for SIP & W no U. (not using P or I, but just enabled them in case I need it later.) Checked in IIS and the Certificate listed there has the same Thumbprint as listed in Exchange. There are two directories now added to IIS Default Web Site: RPC and RPCwithCert both pointing to C:\Windows\System32\RPCProxy. In Exchange Management Console (EMC) I then went to Server Configuration, Client Access and enabled Outlook Anywhere. I put in the internal FQDN for the server, which is the same as the external FQDN for this server, Basic Authentication is selected, Allow SSL offloading is unchecked. I have an internal DNS using that FQDN pointing to the internal private IP address and our external DNS points to our public IP. When I ping internally I get the correct IP address. I've added an external DNS entry for autodiscover for this server as well. In IIS on the default web site I have a host header entry for the FQDN as well as autodiscover. I have gone to https://FQDN/Certsrv, logged in (accepting a cert error about trusted root status) then installed the certificate chain in IE 7 on my Windows XP Professional workstation (which is not joined to the domain and my local username and password are different from the domain), and Outlook Web Access (OWA) works perfectly with no cert error (my self CA is now in my trusted roots.) I can access OWA internally and externally. I setup Outlook 2007 to do Outlook Anywhere, put in the FQDN, set it to basic authentication, set it to try to do HTTP first on both fast and slow networks.   Outlook /rpcdiag reports connecting on TCP-IP internally and externally it won't connect because RPC over HTTP isn't working. When connected internally I did the "test e-mail autoconfiguration" (hold ctrl key, right click Outlook icon in system tray, choose test e-mail configuration) and it connects fine to the autodiscover.FQDN and reports:
Autoconfiguration found the following settings: Display Name: Administrator Protocol: Exchange RPC
Server: servername.domain.com [note it actually has our FQDN here]
Login Name: administrator
Availability Service URL: https://FQDN/EWS/Exchange.asmx
OOF URL: https://FQDN/EWS/Exchange.asmx
OAB URL: http://FQDN/OAB/hexidecimal#matchingOABdirectory#/
Unified Message Service URL: https://FQDN/UnifiedMessaging/Service.asmx
AUth Package: Unspecified Protocol: Exchange HTTP
Server: same name as above FQDN
Login: administrator
SSL: Yes
Mutual Authentication: Yes
Availability Service URL: https://FQDN/EWS/Exchange.asmx
OOF URL: https://FQDN/EWS/Exchange.asmx
OAB URL: http://FQDN/OAB/hexidecimal#matchingOABdirectory#/
Unified Message Service URL: https://FQDN/UnifiedMessaging/Service.asmx
AUth Package: Basic
Certificate Principal Name: msstd:FQDN
-end report-
One note, before I correctly configured the autodiscovery DNS entries, I would get synch errors in Outlook about the OAB and a missing URL, after I added the DNS entry, that went away. However, one should be able to go in a web browser to https://FQDN/OAB/hexidecimal # of OAB dir/oab.xml and get an xml page returned (in IIS I have verified that OAB points to the ClientAccess OAB directory and got the hex # from there.) When I try this internally and externally I get an http 500 error. I did a
PS] U:\>Test-OutlookWebServices -identity administrator | format-list
Id      : 1003 Type    : Information
Message : About to test AutoDiscover with the e-mail address administrator@FQDN. Id      : 1006 Type    : Information
Message : Contacted AutoDiscover at https://FQDN/Autodiscover/Autodiscover.xml. Id      : 1016 Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://FQDN/EWS/Exchange.asmx. Id      : 1015 Type    : Success
Message : [EXCH]-Successfully contacted the OAB service at https://FQDN/EWS/Exchange.asmx. Id      : 1014 Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://FQDN/UnifiedMessaging/Service.asmx. Id      : 1016 Type    : Success
Message : [EXPR]-Successfully contacted the AS service at https://FQDN/EWS/Exchange.asmx. Id      : 1015 Type    : Information
Message : [EXPR]-The OAB is not configured for this user. Id      : 1014 Type    : Information
Message : [EXPR]-The UM is not configured for this user. Id      : 1013 Type    : Error
Message : When contacting https://FQDN/Rpc received the error The remote server returned an error: (500) Internal Server Error. Id      : 1017 Type    : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at https://FQDN/Rpc. Id      : 1006 Type    : Success
Message : Successfully tested AutoDiscover. Id      : 1021 Type    : Information
Message : The following web services generated errors.
             Contacting server in EXPR
         Please use the prior output to diagnose and correct the errors.
-end 2nd report-
All of which basically reports what I already know, that RPC isn't working... On another company's Exchange 2007 server I can go to https://FQDN/rpc, I get a login prompt, then after putting in good credentials, get an "Error: Access is Denied" webpage returned. On this server I don't get a login prompt, I just get an IE HTTP 500 error, just like OAB. I have checked Get-ExchangeCertificates, and as many other "gets" as I can think of from the multitude of postings out there about how to setup/check on Outlook Anywhere. As far as I can tell everything is correctly setup, but RPC doesn't work. The C:\Windows\System32\rpcproxy\rpcproxy.dll directory and file are there. The file has a date of 2/17/2007 and is version 5.2.3790.3959. I checked all of the rpcproxy.dll settings etc. but I wasn't able to re-register the dll, got an error. So I uninstalled RPC over HTTP Proxy from Add & Remove Programs. I checked out the rpcproxy directory and the dll disappeared. I deleted the dll in dllcache. The RPC listing in Web Services in IIS Manager disappeared and I deleted the RPC and RPCwithCert virtual dirs under the Default Web Site. I then reinstalled RPC over HTTP Proxy, then I stopped WWW & MS Exchange and restarted them, but can't reboot right now, so I haven't done that yet. The file reappeared in both directories, same file version and date as above, the virtual dirs reappeared in the Default Web Site and the RPC listing in Web Services reappeared too. All to no avail, it still gets the RPC error with Test-OutlookWebAccess. Full disclosure, I am a consultant and I have setup another 2007 server from scratch in this exact same way for a different company and this all worked flawlessly right out of the box. Just added RPC to Windows, enabled OA, put in the server name, and voila! it worked. I've also recently migrated a company from Exchange 2000 WIndows 2000 to a new WIndows 2003/Exchange 2007 server and Outlook Anywhere worked fine there too. I can't for the life of me figure out what else to check, or what could possibly have gone wrong. Anyone have any ideas? Please help me, I really don't want to start over, the user mailboxes are going to be a pain to export to PST and reimport without EXmerge. -Steve

Post #: 1

Featured Links*

RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 10.Sep.2007 1:27:39 PM

tech_contact

Posts: 10
Joined: 10.Sep.2007
Status: offline

You MUST have a valid External Cert for Outlook Anywhere (RPC over HTTPS) to work properly. It's listed as a prerequisite by Microsoft.

-Tech_contact

(in reply to sfosmire)

Post #: 2

RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 26.Sep.2007 12:11:51 PM

sfosmire

Posts: 7
Joined: 26.Mar.2007
Status: offline

OK, no one came up with anything at all helpful on this or the other 2 forums, and I did a bunch more testing and diagnosing using a bunch of different MS utilities that other places mentioned, none of which really matters, because they all seemed to tell me the same thing: RPC wasn't working. Not Exchange, not the certificate, not IIS, just RPC wasn't working. So, what I ended up doing was creating a temporary server with Windows 2003 64 bit, installing Exchange 2007 to it, making it a DC (since my other Exch server was the DC, GC and DNS for the domain) I used the migration utility to move the mailboxes from one server to the other. Then I moved the public folder replicas, deleted the Public folder database on the "bad" server, uninstalled Exch. 2007, dcpromo'd it to remove AD, then removed the server from the Domain. (I also moved all the user directories and files and recreated their shares on the temp server edited the login script, Oh and I made the temp server the operations master for all of the Domain/AD roles as well as a GC.) With the "bad" server out of the domain and everything functioning just fine on the temp server, I just wiped it clean and reinstalled from scratch. I installed Windows server 2003 x64, then service packed it, joined the Domain, made it a Domain controller, DCpromo'd it back to a being a DC, moved the DC/AD roles all back to it, made it a GC server, installed DNS and made sure everything synchronized just fine. Then I reinstalled Exchange 2007 and RPC over HTTP Proxy, created a test account on the newly reinstalled server and voila! RPC over HTTP/S worked perfectly right out of the box as it is supposed to. I moved the mailboxes back, did everything neccessary to make Exhcnage 2007 be the way it should be and I was done. What a hassle. But maybe this will encourage someone else to just start over instead of beating their head against a wall, and if it makes it easire for someone else then, this forum will have done its job. By the way in response to the post saying that MS requires a "valid exteranl cert": If you mean a certificate from a "real" CA, this just isn't true. I created a self signed certificate from my server that has Certificate Services on it and it works just fine for RPC and everything else. Just remember to go to https://yourownserver.com/Certsrv and click on download the certificate chain, then install the certificate chain and you'll be fine for RPC over HTTP with Outlook 2003 & 2007. Don't just do the https: to your server and try to click on "install certificate" you need to actually get your self CA into the trusted roots, not just the certificate. The only thing that paying for a "real" certificate from a CA like Verisign or Thawte gets you is that they are in the trusted roots by default and you don't have to add them. If you meant that you have to run the enable-ExchangeCertificate for the imported certificate and specify the services (SMTP, IMAP, POP, Unified Messaging, IIS) that the cert is for, then that was already the case. OK one caveat here, for "locked" mobile devices (the Samsung Blackjack for instance), where they only allow you to install approved apps from the wireless provider, you won't be able to download and install the chain, so for those and (as far as I know) only those locked devices you would need a "real" certificate from a "real" CA that you pay money for. Most other MS active sync or Windows Mobile devices play fair and let you install certificate chains.

Good luck if you are reading this because you have this problem, I can sympathize. -Steve

(in reply to tech_contact)

Post #: 3

RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 1.Oct.2007 4:03:10 PM

MarcG

Posts: 4
Joined: 1.Sep.2007
Status: offline

Man I think I love you.

I use a self-signed certificate too and the only way I had found to get it working was to install the certificate on ie6 before upgrading to ie7.

Why no sites mention this /certsrv/ requirement is beyond me.

Thanks a bunch for posting this info!

(in reply to sfosmire)

Post #: 4

RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 4.Oct.2007 11:03:04 AM

de.blackman

Posts: 1436
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline

Exchange 2007 works fine with internally created certificates. Microsoft recommends using 3rd party certificates because they root certificate is already trusted by their operating systems. If you are going to use an internal certificate, as sfosmire mentioned, all you have to do is download the root certificate to every single client that will connect to the exchange server (internal workstations and laptops; machines at homes that will use Outlook AnyWhere; Mobile devices that will use ActiveSync). In addition, Exchange 2007 requires a certificate that has multiple subject alternate names on it. By default a certification authority does not allow the creation of these types of certs without slight modifications of to the certificate templates on the cert server. This is a hassle for alot of companies, hence the reason why Microsoft "recommends" a 3rd party certificate.

_____________________________

De BlackMan
List Moderator
"Did you backup your Information Store Today?!"

(in reply to MarcG)

Post #: 5