RPC over HTTPS Troubles - Tried Everything!

RPC over HTTPS Troubles - Tried Everything! (Full Version)

All Forums >> [Microsoft Exchange 2003] >> General

Message

bjblackmore -> RPC over HTTPS Troubles - Tried Everything! (14.Mar.2008 6:38:00 PM)
Hi, I'm trying to setup Outlook Anywhere/RPC over HTTPS, using a single Exchange 2003 Server on Win 2003 SP2, ISA 2006 on Win 2003 SP2, and Outlook 2003 on Win XP SP2 clients. I've followed all the online documentation, including those below, but I just can't get it working: http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part1.html (all 5 parts) http://www.msexchange.org/tutorials/outlookrpchttp.html http://www.msexchange.org/tutorials/Troubleshooting-RPC-over-HTTPS-Part1.html (both parts) So far the steps I've taken are: Added the RPC over HTTP Proxy componant to the Exchange Server Selected RPC-HTTP back-end server in the Exchange System Manager RPC-HTTP tab Checked the port settings under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA Added ExchangeServer:6001-6002;ExchangeServerFQDN:6001-6002;ExchangeServer:6004;ExchangeServerFQDN:6004; to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy Rebooted the Exchange Server Made sure the Default Website\RPC virtual directory has basic auth only set. Create a new firewall policy on the ISA 2006 server for OWA/RPC, with the same settings/listener as those described in http://www.isaserver.org/tutorials/ISA-Firewall-Publishing-OWA-RPC-HTTP-Single-IP-Address-Part3.html Used the existing Web Certificate which is a wildcard cert, .domain.com. OWA works perfectly (we were using OWA previously anyway, which is why we had the wildcard certificate), we can login, and send/receive emails I've created a new Profile in Outlook,and added a new Exchange account with settings: exchange.domain.com, user.name, in 'more settings' under the connection tab I've enabled 'connect using HTTP' and set the exchange proxy settings to: https://owa.domain.com, connect using SSL, Mutually authenticate: msstd:.domain.com (same as the wildcard certificate), tried checking & un-checking on fast networks use http first... & on slow networks use http first..., set the proxy authentication to basic. But, when I click check name in the Outlook settings box, a pop up opens, asking me to authenticate to exhange.domain.com, I enter my username 'domain\username' and password, however this just pops up again twice and then I get an error message saying 'The action could not be completed. The connection to Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action.' The ISA logging shows the conection, there is an 'Initiated Connection', then 'Allowed Connection', a 'Failed Connection Attempt' and finally a 'Closed Connection'. The Allowed Connection shows the following info: Status: 404 Not Found Request: RPC_OUT_DATA http://owa.domain.com/rpc/rpcproxy.dll?exchange.domain.com:593 And the Failed Connection shows: Status: 64 The specified network name is no longer available Request: RPC_IN_DATA http://owa.domain.com/rpc/rpcproxy.dll?exchange.domain.com:593 The ports alternate between 593 and 6004 I'm now at a loss as to how to get this working. I've used the Outlook.exe /rpcdiag to try and test rpc, but that just tries to conect, asks for the username & password then fails. I've tried rpcdump /v and all of the ncacn_http ports are correctly set. I've checked rpcproxy.dll exists under c:\windows\system32\rpcproxy\rpcproxy.dll, although I notice I get an error if I try and register the dll again using regsvr32: 'DllRegisterServer in c:\windows\system32\rpcproxy\rpcproxy.dll failed. Return code was 0x80070003', so I don't know if this points to a problem - corrupt file maybe? Apart from that, I can't think of anything else that could be stopping this from working! Can anyone else help/shed some light onto what the problem maybe? Any help much appreciated Ben

bjblackmore -> RE: RPC over HTTPS Troubles - Tried Everything! (15.Mar.2008 8:28:52 AM)
Just a quick thought, does the RPC over HTTP componant need to be installed on ever Global Catalogue server in the domain, or can it just be installed on the Exchange Server if it is a Global Catalogue server? Its just that we have another DC, which is also a Global Catalogue server, but does not have Exchange installed.

bjblackmore -> RE: RPC over HTTPS Troubles - Tried Everything! (27.Mar.2008 6:06:10 AM)
Well I installed the RPC over HTTP component onto the other DC/GC and it had no effect. I've also removed our certificate from IIS, which was created using an internal CA, and used a wildcard (so we could use it for all published sites), and replaced it with a Thawte test SSL certificate, just in case that was causing a problem. But this made no difference. The error messages I'm constantly getting are: Failed Connection Attempt Log type: Web Proxy (Reverse) Status: 1460 This operation returned because the timeout period expired. Rule: OWA & Outlook Anywhere Source: External (194.xxx.xxx.25) Destination: (exchange.domain.com 192.168.1.3:443) Request: RPC_OUT_DATA http://owa.domain.com/rpc/rpcproxy.dll?EXCHANGE:6004 Filter information: Req ID: 09051610; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes Protocol: https Failed Connection Attempt Log type: Web Proxy (Reverse) Status: 64 The specified network name is no longer available. Rule: OWA & Outlook Anywhere Source: External (194.xxx.xxx.25) Destination: (exchange.domain.com 192.168.1.3:443) Request: RPC_IN_DATA http://owa.domain.com/rpc/rpcproxy.dll?EXCHANGE:6004 Filter information: Req ID: 0905160e; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=yes, logged off=no, client type=unknown, user activity=yes Protocol: https Our valid ports entry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy is set to: exchange:6001-6002; exchange.domain.com:6001-6002; owa.domain.com:6001-6002; exchange:6004; exchange.domain.com:6004; owa.domain.com:6004 Does this look correct? Should it be in a certain order? I read 1 post that said it started to work after someone re-ordered their valid ports. Using RpcPing (RpcPing -t ncacn_http -s exchange.domain.com -o RpcProxy=owa.domain.com -P "user,domain.com,password" -I "user,domain.com,password" -H 1 -F 3 -a connect -u 10 -v 3 -e 6001) internally completes 1 call in 100.000ms/T, so internally everything seems OK. But if I run the same Rpcping test externally, but add "-B msstd:owa.domain.com” for mutual authentication, there is a long delay, then it fails with Exception 1722. If I try to connect to https://owa.domain.com/rpc/rpcproxy.dll from the exchange server itself and from the ISA server an authentication popup opens, after entering my domain username & password I get a blank page, which is apparently correct according to the kbs I've read. I've jsut removed RPC over HTTP from the exchange server, rebooted, then re-installed RPC over HTTP and re-set the valid ports, as I read somewhere that was a possible fix, but it hasn't helped. I'm now at a loss, I've done everything I can think of, read every forum article and kb, but can't think of where to go next!? Any more suggestions would be most welcome! Ben P.S. When I put the client on the internal network and connect, it seems to work with RPC over HTTPS fine, if I run Outlook.exe /RPCDIAG the following screen is shown, with all HTTPS connections established. [image]http://i155.photobucket.com/albums/s317/bjblackmore/outlook-rpcdiag.jpg[/image]

danieltahar -> RE: RPC over HTTPS Troubles - Tried Everything! (25.Apr.2008 7:59:35 PM)
I may have good news for you. I tried everything. I mean everything. out of frustration, i disabled the caching web filter. it works. I just can't put into words my feeling right now. Let me know if it works for you -- this is amazing.

begineer -> RE: RPC over HTTPS Troubles - Tried Everything! (25.Apr.2008 11:32:12 PM)
caching web filter in where

bjblackmore -> RE: RPC over HTTPS Troubles - Tried Everything! (26.Apr.2008 3:18:43 AM)
Hi Daniel, Thanks for the reply. Do you mean disable the "Caching Compressed Web Filter", the Cache Rules, or Cached Drives? Is your ISA box part of a domain? I've received a reply from Dr Shinder on the ISA forum that suggested adding ISA to the domain will also solve this problem. I haven't had chance to test this yet, need to schedule some down time. Cheers Ben

danieltahar -> RE: RPC over HTTPS Troubles - Tried Everything! (26.Apr.2008 4:18:42 PM)
ISA / Configuration / Add-ins / Web Filters, disable "Compression Filter". I think this is a pure communications problem, considering you set up everything correctly -- in any case, authentication, lookup issues etc etc would generate different errors, not a 64 host not found. try it, you won't regret it! :) Seriously though, it's not a domain thing imho.

danno -> RE: RPC over HTTPS Troubles - Tried Everything! (28.Apr.2008 12:18:50 PM)
I am having this exact problem with the exact messages in ISA. I have disabled the compression filter. I'm still unable to connect from outside the network, but my symptoms have changed: Before disabling http compression, the ISA logs showed four consecutive Failed Connection Attempts on port 443. After disabling http compression, the first connection attempt is successful, the second is failed, the third is succesful and the fourth is failed: Port 443 https Failed Connection Attempt OWA-RPC/HTTP-ActSync RPC_IN_DATA Web Proxy Filter Port 443 https Allowed Connection OWA-RPC/HTTP-ActSync RPC_OUT_DATA Web Proxy Filter Port 443 https Allowed Connection OWA-RPC/HTTP-ActSync RPC_OUT_DATA Web Proxy Filter Port 443 https Failed Connection Attempt OWA-RPC/HTTP-ActSync RPC_IN_DATA Web Proxy Filter So disabling compression def changed things, but I'm still not able to connect. My ISA server is a member of the domain. Any thoughts? Thanks!

danieltahar -> RE: RPC over HTTPS Troubles - Tried Everything! (28.Apr.2008 1:53:16 PM)
at this point, we may be looking at other stuff, on the easier side. are you configured with ntlm both ways, or only one way? also, which application / web filters are currently enabled? at this point i really think we're looking at exchange connectivity issues etc. under system policy, are you set w/ "enforce strict rpc compliance"?

danno -> RE: RPC over HTTPS Troubles - Tried Everything! (28.Apr.2008 3:37:47 PM)
Daniel, In regards to your question about the NTLM authentication, I'm not sure how to check that but I'll take a look. The web filters currently enabled all but DiffServ Filter and Compressoin Filter: Web PUblishing Load Balancing Filter Authentication Delegation Filter Forms-Based Authentication Filter RADIUS Authentication Filter LDAP Authentication Filter Link Translation Filter HTTP Filter Caching Compressed Content Filter Danno

danieltahar -> RE: RPC over HTTPS Troubles - Tried Everything! (28.Apr.2008 5:34:28 PM)
well, you need to look at IIS, especially on the /Exchange directory, and see if how it's set to authenticate. I actually removed and re-created the virtual directories a couple of times, because I messed around with them so much. In any case, what I want to know is if the ISA listener is taking NTLM authentication, and what exactly is it forwarding to the IIS -- i.e., is the IIS expecting the same thing. Also, is the IIS certificate (considering SSL is used) one trusted by the ISA server? You should try two things: 1. from the ISA server, try going to https://internalfqdn/Exchange, and to https://internalfqdn/rpc/rpcproxy.dll, and see if they work. If a certificate prompt comes up, that's the first thing to look at. Second, if you're loogged on as a user who's mailbox isn't on this exchange server, try logging on as a user who's mailbox is there, and access /Exchange. If you get to your mailbox without being prompted for a username/password, it means NTLM ("windows integrated") security is enabled on IIS. Let's take it from there...

Page: [1]