• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Repeated Authentication with Outlook 2003 and RPC over HTTPS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> General >> Repeated Authentication with Outlook 2003 and RPC over HTTPS Page: [1]
Login
Message << Older Topic   Newer Topic >>
Repeated Authentication with Outlook 2003 and RPC over ... - 26.Dec.2006 11:25:27 PM   
espsgroup

 

Posts: 21
Joined: 26.Dec.2006
Status: offline
Hello all, I'm right on the verge of a migration from Open Exchange to a brand new Exchange 2003 installation. It is a 100% Windows 2003 / XP pro / Exchange 2003 / Outlook 2003 installation. I followed the articles on how to install RPC over HTTPS available here and at Microsoft, with the exception of using "Mutually Authenticate SSL" or whatever that option is. I have tried it with though and that doesn't seem to be it.

Our server is repeatedly asking for username/password authentication from Outlook. It will not save the password, and it wants to re-authenticate every few hours it seems. Is this normal behavior? I really want to tell my users they won't have to do this all the time. It doesn't matter whether they are inside our network or outside, VPN or not. It works as long as they re-authenticate, but it's a PITA to our users.

Any ideas?

Thanks all!
Post #: 1
RE: Repeated Authentication with Outlook 2003 and RPC o... - 27.Dec.2006 12:50:24 AM   
_shArk_

 

Posts: 25
Joined: 24.Dec.2006
Status: offline
Hi- how is your Exchange architecture set up? Are you running a single exchange server and publishing from there or are you using a front-end exchange server as well? Are you publishing the RPC/HTTP with ISA? Using an HTTPS url?
Most of the time, the authentication isues will be located in one of three places:
1) the IIS settings or
2) the Outlook client settings
3) your external publishing method

Normally, you want to use the MSSTD:yourserver.exchange.com in the Outlook RPC/HTTP settings, and basic authentication.
I would suggest using ISA to publish out the external RPC/HTTP access and increase your layer of security. Using ISA makes the publishing easier, IMO.
I would also suggest using a front-end exchange server. Any pizza-box server will work since you are not going to host mail stores. You can run an installation of Exchange and then stop the info store service store.exe.

Have a read through this link: http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part4.html 

Also, please run through these Technet Center links for RPC/HTTP on Exchange: http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/54d5b4f9-9b11-4bfd-88c3-337e83aaa44a.mspx?mfr=true

sometimes setting this up initially can be tricky, especially since you sre running live now and can't bounce things around a lot and test. If you can provide some more detailed info like event log errors I'll try to help narrow it down for you.

_____________________________

~~~~)shArk>

(in reply to espsgroup)
Post #: 2
RE: Repeated Authentication with Outlook 2003 and RPC o... - 27.Dec.2006 1:02:01 AM   
_shArk_

 

Posts: 25
Joined: 24.Dec.2006
Status: offline
quote:

ORIGINAL: espsgroup
Our server is repeatedly asking for username/password authentication from Outlook. It will not save the password, and it wants to re-authenticate every few hours it seems.


another thing to check, because this sounds to me like your remote outlook client cannot authenticate to active directory through Exchange. Try this using a laptop:
1. Open your Outlook client inside the LAN and get the mailbox open.
2. make sure you have the RPC/HTTP settings set up as you think they should be
3. leave outlook open, put laptop in standby and leave the LAN. Hook up to an external internet connection and fire up the laptop. you should hopefully see Outlook try to connect and prompt you for the user / pass.
Now, if you do not connect, do this- See the outlook icon in the sys tray? Hold down the CTRL key and right-click on that icon. You should see an entry in the context menu that says "Connection Status..." - click that, a window should open and it should show you where your outlook client is trying to connect to. You should see a connection to your local Exchange server as 'Directory' and 'Mail' with avg number of requests, errors, etc- And note that the connection type is HTTP or HTTPS.
This will help you figure out where in the connection chain things are failing. Post a screenshot if possible.

< Message edited by _shArk_ -- 27.Dec.2006 1:05:00 AM >


_____________________________

~~~~)shArk>

(in reply to espsgroup)
Post #: 3
RE: Repeated Authentication with Outlook 2003 and RPC o... - 27.Dec.2006 10:19:01 AM   
de.blackman

 

Posts: 3502
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Hi espsgroup,

From what im understanding, the clients do get authenticated to the exchange server but every so often they are asked for credentials. This usually means that the client loses communication with the global catalog server. What you may want to check is the ValidPorts key on the exchange RPC Proxy server. Confirm you have the following entries:

Mailbox_server_Netbiosname:6001-6002;Mailbox_server_FQDN:6001-6002;GC_NetBiosName:6004;GC_FQDN:6004

Also confirm that in the case you have more than one mailbox server, all entries are entered for them. Confirm that you are able to successfully telnet to all your Windows 2003 GCs on port 6004 as well.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to _shArk_)
Post #: 4
RE: Repeated Authentication with Outlook 2003 and RPC o... - 27.Dec.2006 12:53:04 PM   
espsgroup

 

Posts: 21
Joined: 26.Dec.2006
Status: offline
@_shArk_ -- Thanks for the reply. Our infrastructure is built on VMWare ESX 3 with a SAN backend (Sun X4200 servers). It makes the hardware pretty standard for Windows and it seems to work well.

The deployment is a single Exchange 2003 Enterprise with a GFI Mail Essentials server relaying SMTP in front of it. I don't run ISA server, but I will try to install it and publish RPC that way. Right now I have a second interface on my Exchange server. It's locked down through a hardware firewall, but I don't like the direct access to it. This is something I've been meaning to check out.

I have looked at my Outlook Connection Status and RPC over HTTPS does indeed work after authentication. The issue is a repeat authentication request several hours later, and Outlook doesn't save the password. I just didn't think Outlook would have to request authentication information if you were already logged onto the domain on the local machine.


@de.blackman -- We have three GC servers, including the exchange server and our two dns servers. My Valid Ports is:
adcexch01:593;
adcexch01.domain.com:593;
adcexch01:6001-6002;
adcexch01.domain.com:6001-6002;
adcexch01:6004;
adcexch01.domain.com:6004;
adcdc01:593;
adcdc01.domain.com:593;
adcdc01:6004;
adcdc01.domain.com:6004;
adcdc02:593;
adcdc02.domain.com:593;
adcdc02:6004;
adcdc02.domain.com:6004

I can telnet to port 6004 on all of them.




(in reply to _shArk_)
Post #: 5
RE: Repeated Authentication with Outlook 2003 and RPC o... - 28.Dec.2006 2:10:00 AM   
_shArk_

 

Posts: 25
Joined: 24.Dec.2006
Status: offline
espsgroup- Wow, sounds like a bit of a head-scratcher. I'm buying you a virtual beer :)

So I'm thinking, you do have some added layers and complexity with the VMware, second interface and GFI. Without seeing actual error logs or a diagram of your network and exchange system, and from your last post, it sounds like some communication is either getting intermittently blocked or dropped between the external RPC/HTTP client and Exchange.
Would there be possibility of a firewall connection timeout on no port activity for x-period of time? This might lead to the need to re-log in every so often. Is this amount of time random or about the same interval?

I can try and help narow things down a bit- Have you tried connecting an RPC/HTTP client inside your LAN? You could do this by going into the outlook RPC/HTTP connection settings and select 'use RPC/HTTP on fast networks'. Then restart the outlook client. You should get prompted to log in as if you were external. Outlook does not save the password in RPC/HTTP connection mode, so each time you open outlook you will need to re-log in. This is by design, and this is why you never want to check the 'use fast networks' setting inside your LAN for normal operations.
If you can successfully connect RPC/HTTP inside your LAN and do not get dropped, then the problem is probably within your firewall or method of external publishing. If you still cannot connect, then the problem is probably within your Exchange or IIS settings.
If this deployment is to be long term and highly relied upon, I would still very much recommend using a front end / back end exchange configuration and ISA for external publishing. You could then drop the 2nd interface on the mail store Exchange server, and eliminate the 'direct access' issue..
This combination works very well together and makes for a very straight-forward architecture. And should you encounter future issues, troubleshooting will be a bit easier.
Just as an FYI, there would be no added licensing costs for the front-end exchange server since it will not host mail stores or public folders. It only serves as your OWA and RPC/HTTP 'gateway' to the back-end mail store exchange server.
For enhanced security, you will want to place the ISA server in your DMZ, and make it a stand-alone non domain server. You would set up a firewall rule that allows the internal trust side of your ISA in to your front-end Exchange server, and only on specific ports. Your external ISA interface will host the external public IP and  'https://exmail.yourdomain.com/exchange' URL for OWA, and the 'https://exmail.yourdomain.com' URL for RPC/HTTP Outlook and Windows Mobile devices.
This way if anyone ever breaks in to your ISA server, they get jack.

Anywho- Hope this helps!

< Message edited by _shArk_ -- 28.Dec.2006 2:21:28 AM >


_____________________________

~~~~)shArk>

(in reply to espsgroup)
Post #: 6
RE: Repeated Authentication with Outlook 2003 and RPC o... - 28.Dec.2006 2:42:54 AM   
_shArk_

 

Posts: 25
Joined: 24.Dec.2006
Status: offline
Here's two good articles on setting up ISA.

This is one way you can go, and would work well. Single ISA interface with IAS.
http://www.msexchange.org/tutorials/Configuring-ISA-Server-2004-Exchange-Frontend-Server-DMZ-Part2.html

And this one, a more traditional and still a very good approach: http://www.msexchange.org/articles/rpchttppart1.html 
(note: you do not need to install the enterprise CA unless you want to set up ipsec between front-end and back-end exchange servers. If your ISA box is in a DMZ with a layer3 firewall between it and the front-end exchange server, your pretty darn protected.) -IMO, and all that :)

_____________________________

~~~~)shArk>

(in reply to _shArk_)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> General >> Repeated Authentication with Outlook 2003 and RPC over HTTPS Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter