• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Outlook Anywhere/RPC over HTTP not working Exchange 2007

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Mobility >> Outlook Anywhere/RPC over HTTP not working Exchange 2007 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Outlook Anywhere/RPC over HTTP not working Exchange 2007 - 30.Aug.2007 2:55:31 PM   
sfosmire

 

Posts: 7
Joined: 26.Mar.2007
Status: offline
I posted this to the experts-exchange.com & petri.co.il forums as well.  Sorry if that disturbs anyone. This is a brand new installation of Exchange 2007 on a brand new installation of Windows Server 2003 R2 Standard x64 Edition.  Single server domain.  RPC over HTTP Proxy is installed in Windows.  Server is a Certificate Authority, I created a self signed certificate request in IIS, generated the certificate, installed/imported certificate into Exchange, Enabled said certificate for SIP & W no U.  (not using P or I, but just enabled them in case I need it later.)  Checked in IIS and the Certificate listed there has the same Thumbprint as listed in Exchange.  There are two directories now added to IIS Default Web Site: RPC and RPCwithCert both pointing to C:\Windows\System32\RPCProxy.  In Exchange Management Console (EMC) I then went to Server Configuration, Client Access and enabled Outlook Anywhere.  I put in the internal FQDN for the server, which is the same as the external FQDN for this server, Basic Authentication is selected, Allow SSL offloading is unchecked.  I have an internal DNS using that FQDN pointing to the internal private IP address and our external DNS points to our public IP.  When I ping internally I get the correct IP address.  I've added an external DNS entry for autodiscover for this server as well.  In IIS on the default web site I have a host header entry for the FQDN as well as autodiscover.  I have gone to https://FQDN/Certsrv, logged in (accepting a cert error about trusted root status) then installed the certificate chain in IE 7 on my Windows XP Professional workstation (which is not joined to the domain and my local username and password are different from the domain), and Outlook Web Access (OWA) works perfectly with no cert error (my self CA is now in my trusted roots.)  I can access OWA internally and externally.  I setup Outlook 2007 to do Outlook Anywhere, put in the FQDN, set it to basic authentication, set it to try to do HTTP first on both fast and slow networks.   Outlook /rpcdiag reports connecting on TCP-IP internally and externally it won't connect because RPC over HTTP isn't working.  When connected internally I did the "test e-mail autoconfiguration" (hold ctrl key, right click Outlook icon in system tray, choose test e-mail configuration) and it connects fine to the autodiscover.FQDN and reports:
Autoconfiguration found the following settings: Display Name: Administrator Protocol: Exchange RPC
Server: servername.domain.com [note it actually has our FQDN here]
Login Name: administrator
Availability Service URL: https://FQDN/EWS/Exchange.asmx
OOF URL: https://FQDN/EWS/Exchange.asmx
OAB URL: http://FQDN/OAB/hexidecimal#matchingOABdirectory#/
Unified Message Service URL: https://FQDN/UnifiedMessaging/Service.asmx
AUth Package: Unspecified Protocol: Exchange HTTP
Server: same name as above FQDN
Login: administrator
SSL: Yes
Mutual Authentication: Yes
Availability Service URL: https://FQDN/EWS/Exchange.asmx
OOF URL: https://FQDN/EWS/Exchange.asmx
OAB URL: http://FQDN/OAB/hexidecimal#matchingOABdirectory#/
Unified Message Service URL: https://FQDN/UnifiedMessaging/Service.asmx
AUth Package: Basic
Certificate Principal Name: msstd:FQDN
-end report-
One note, before I correctly configured the autodiscovery DNS entries, I would get synch errors in Outlook about the OAB and a missing URL, after I added the DNS entry, that went away.  However, one should be able to go in a web browser to https://FQDN/OAB/hexidecimal # of OAB dir/oab.xml and get an xml page returned (in IIS I have verified that OAB points to the ClientAccess OAB directory and got the hex # from there.)  When I try this internally and externally I get an http 500 error. I did a
PS] U:\>Test-OutlookWebServices -identity administrator | format-list
Id      : 1003  Type    : Information
Message : About to test AutoDiscover with the e-mail address administrator@FQDN. Id      : 1006  Type    : Information
Message : Contacted AutoDiscover at https://FQDN/Autodiscover/Autodiscover.xml. Id      : 1016  Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://FQDN/EWS/Exchange.asmx. Id      : 1015  Type    : Success
Message : [EXCH]-Successfully contacted the OAB service at https://FQDN/EWS/Exchange.asmx. Id      : 1014  Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://FQDN/UnifiedMessaging/Service.asmx. Id      : 1016  Type    : Success
Message : [EXPR]-Successfully contacted the AS service at https://FQDN/EWS/Exchange.asmx. Id      : 1015  Type    : Information
Message : [EXPR]-The OAB is not configured for this user. Id      : 1014  Type    : Information
Message : [EXPR]-The UM is not configured for this user. Id      : 1013  Type    : Error
Message : When contacting https://FQDN/Rpc received the error The remote server returned an error: (500) Internal Server Error. Id      : 1017  Type    : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at https://FQDN/Rpc. Id      : 1006  Type    : Success
Message : Successfully tested AutoDiscover. Id      : 1021  Type    : Information
Message : The following web services generated errors.
             Contacting server in EXPR
         Please use the prior output to diagnose and correct the errors.
-end 2nd report-
All of which basically reports what I already know, that RPC isn't working... On another company's Exchange 2007 server I can go to https://FQDN/rpc, I get a login prompt, then after putting in good credentials, get an "Error: Access is Denied" webpage returned.  On this server I don't get a login prompt, I just get an IE HTTP 500 error, just like OAB. I have checked Get-ExchangeCertificates, and as many other "gets" as I can think of from the multitude of postings out there about how to setup/check on Outlook Anywhere.  As far as I can tell everything is correctly setup, but RPC doesn't work. The C:\Windows\System32\rpcproxy\rpcproxy.dll directory and file are there.  The file has a date of 2/17/2007 and is version 5.2.3790.3959.  I checked all of the rpcproxy.dll settings etc. but I wasn't able to re-register the dll, got an error.  So I uninstalled RPC over HTTP Proxy from Add & Remove Programs.  I checked out the rpcproxy directory and the dll disappeared.  I deleted the dll in dllcache.  The RPC listing in Web Services in IIS Manager disappeared and I deleted the RPC and RPCwithCert virtual dirs under the Default Web Site.  I then reinstalled RPC over HTTP Proxy, then I stopped WWW & MS Exchange and restarted them, but can't reboot right now, so I haven't done that yet.  The file reappeared in both directories, same file version and date as above, the virtual dirs reappeared in the Default Web Site and the RPC listing in Web Services reappeared too.  All to no avail, it still gets the RPC error with Test-OutlookWebAccess.  Full disclosure, I am a consultant and I have setup another 2007 server from scratch in this exact same way for a different company and this all worked flawlessly right out of the box.  Just added RPC to Windows, enabled OA, put in the server name, and voila! it worked.  I've also recently migrated a company from Exchange 2000 WIndows 2000 to a new WIndows 2003/Exchange 2007 server and Outlook Anywhere worked fine there too.  I can't for the life of me figure out what else to check, or what could possibly have gone wrong.  Anyone have any ideas?  Please help me, I really don't want to start over, the user mailboxes are going to be a pain to export to PST and reimport without EXmerge.   -Steve
Post #: 1
RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 10.Sep.2007 1:27:39 PM   
tech_contact

 

Posts: 10
Joined: 10.Sep.2007
Status: offline
You MUST have a valid External Cert for Outlook Anywhere (RPC over HTTPS) to work properly.  It's listed as a prerequisite by Microsoft.

-Tech_contact

(in reply to sfosmire)
Post #: 2
RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 26.Sep.2007 12:11:51 PM   
sfosmire

 

Posts: 7
Joined: 26.Mar.2007
Status: offline
OK, no one came up with anything at all helpful on this or the other 2 forums, and I did a bunch more testing and diagnosing using a bunch of different MS utilities that other places mentioned, none of which really matters, because they all seemed to tell me the same thing: RPC wasn't working. Not Exchange, not the certificate, not IIS, just RPC wasn't working. So, what I ended up doing was creating a temporary server with Windows 2003 64 bit, installing Exchange 2007 to it, making it a DC (since my other Exch server was the DC, GC and DNS for the domain) I used the migration utility to move the mailboxes from one server to the other. Then I moved the public folder replicas, deleted the Public folder database on the "bad" server, uninstalled Exch. 2007, dcpromo'd it to remove AD, then removed the server from the Domain. (I also moved all the user directories and files and recreated their shares on the temp server edited the login script, Oh and I made the temp server the operations master for all of the Domain/AD roles as well as a GC.) With the "bad" server out of the domain and everything functioning just fine on the temp server, I just wiped it clean and reinstalled from scratch. I installed Windows server 2003 x64, then service packed it, joined the Domain, made it a Domain controller, DCpromo'd it back to a being a DC, moved the DC/AD roles all back to it, made it a GC server, installed DNS and made sure everything synchronized just fine. Then I reinstalled Exchange 2007 and RPC over HTTP Proxy, created a test account on the newly reinstalled server and voila! RPC over HTTP/S worked perfectly right out of the box as it is supposed to. I moved the mailboxes back, did everything neccessary to make Exhcnage 2007 be the way it should be and I was done. What a hassle. But maybe this will encourage someone else to just start over instead of beating their head against a wall, and if it makes it easire for someone else then, this forum will have done its job.  By the way in response to the post saying that MS requires a "valid exteranl cert": If you mean a certificate from a "real" CA, this just isn't true. I created a self signed certificate from my server that has Certificate Services on it and it works just fine for RPC and everything else. Just remember to go to https://yourownserver.com/Certsrv and click on download the certificate chain, then install the certificate chain and you'll be fine for RPC over HTTP with Outlook 2003 & 2007. Don't just do the https: to your server and try to click on "install certificate" you need to actually get your self CA into the trusted roots, not just the certificate.  The only thing that paying for a "real" certificate from a CA like Verisign or Thawte gets you is that they are in the trusted roots by default and you don't have to add them.  If you meant that you have to run the enable-ExchangeCertificate for the imported certificate and specify the services (SMTP, IMAP, POP, Unified Messaging, IIS) that the cert is for, then that was already the case. OK one caveat here, for "locked" mobile devices (the Samsung Blackjack for instance), where they only allow you to install approved apps from the wireless provider, you won't be able to download and install the chain, so for those and (as far as I know) only those locked devices you would need a "real" certificate from a "real" CA that you pay money for. Most other MS active sync or Windows Mobile devices play fair and let you install certificate chains.

Good luck if you are reading this because you have this problem, I can sympathize. -Steve

(in reply to tech_contact)
Post #: 3
RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 1.Oct.2007 4:03:10 PM   
MarcG

 

Posts: 4
Joined: 1.Sep.2007
Status: offline
Man I think I love you.

I use a self-signed certificate too and the only way I had found to get it working was to install the certificate on ie6 before upgrading to ie7.

Why no sites mention this /certsrv/ requirement is beyond me.

Thanks a bunch for posting this info!

(in reply to sfosmire)
Post #: 4
RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 4.Oct.2007 11:03:04 AM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Exchange 2007 works fine with internally created certificates. Microsoft recommends using 3rd party certificates because they root certificate is already trusted by their operating systems. If you are going to use an internal certificate, as sfosmire mentioned, all you have to do is download the root certificate to every single client that will connect to the exchange server (internal workstations and laptops; machines at homes that will use Outlook AnyWhere; Mobile devices that will use ActiveSync). In addition, Exchange 2007 requires a certificate that has multiple subject alternate names on it. By default a certification authority does not allow the creation of these types of certs without slight modifications of to the certificate templates on the cert server. This is a hassle for alot of companies,  hence the reason why Microsoft "recommends" a 3rd party certificate.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to MarcG)
Post #: 5
RE: Outlook Anywhere/RPC over HTTP not working Exchange... - 1.Sep.2009 8:54:21 AM   
masyed

 

Posts: 1
Joined: 15.Jun.2009
Status: offline


Hi Sfosmire,

Thank you for the description on how to get outlook anyhwere working wtih a self signed certificate.

I am very new to exchange and certificates, I have successfully configured exch2k7 with owa and outlook (domain joined) working fine

I setup up rpc / outlook anywhere and the funny thing is :

a) Outlook anywhere started to work on a macbook with entourage webservices / office 2008 sp2 without a problem ; i didn't even added the certificate to the trusted root on the mac and it just warned me of untrusted certificate which i said "Yes use it" and entourage, applemail, ical, address bokk was configured properly.

b) when I try to configure outlook 2007 on windows 7, vista after adding the self signed certificate to the trusted root on my client laptop it won't discover any thing .

when the process starts of autodiscovery, it prompts for user/pass, i type the user name and password and then after a while it says outlook was unable to contact the exchange server, it has to be online.

If I try to configure manually, from "More Settings" i would get the same response after creating the profile and opening outlook ; when it gives the error then it shows a dialog box which has the name of my exchange server sitting in the office, so it is getting there. Any thoughts on this ??

Also, when you say to download and install the root certificate chain ? can you please elaborate that ? do you mean to download the certificate and install it ? or is that a different kind of certificate.

Also, can you please specify the steps to request a new self signed certificate so I can use Outlook anywhere and other services (no active sync) ; I have setup a internal CA (AD cert services server 2008).

I will be really greatful for your help.

Kind Regards

(in reply to sfosmire)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Mobility >> Outlook Anywhere/RPC over HTTP not working Exchange 2007 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter