RE: Setting up RPC-HTTPS
Sorry Kurt, I was not suggesting that you were incapable of following, merely validating that they have worked for me just following those..with a slight hint of..check for fat fingering. Also did you add the blank line at the end of the registry file when you copied and pasted the reg keys? On all of mine I have the default website selected for require ssl, but I do know many situations where that is not the case. And they force a redirection to https://fqdn.com/exchange Let us know what the event logs turn up. Greg -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 1:35 AM To: MS-Exchange Admin Issues Subject: Re: Setting up RPC-HTTPS On 1/24/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Kurt, I have followed the amset dozens of times and petri at least that many. Works perfectly each time unless I fat finger something. That's something I'm perfectly capable of, and do many times a day. Heh. I assume on the DC you selected in the name you have the RPC Proxy installed. You have confirmed the perms on the IIS for it. Have you confirmed the ssl cert is enabled for the rpc in iis under the site you have the ssl cert installed on. No, the RPC Proxy is on the Exchange server. I've selected Properties for the RPC virtual directory, and under Directory Security/Secure Communications, both Require secure channel (SSL) and the sub-checkbox Require 128-bit enryption are selected. However, in review, I note that the same is not true for the web site itself. Should that be selected? I don't think so, but am not expert in that. If the RPC server you specify in Outlook is not matching the certificate name you installed then it will not connect over RPC. IF you ping the external name of the cert does it resolve internally to your Exch server. If not fix that with DNS then try it. DNS is fine - it resolves both internally and externally, with split DNS. Are there any event logs in the DC or the Exchange server when you attempt to connect? Gad - that's something I'll have to check tomorrow. BY chance do you have Sharepoint Services or Server running on the Exchange server or the DC? If so have you excluded the rpc virtual directory path from SP. If not SP takes over and ruins your life.. A common issue with the error from RPCping, Client is not authorized to ping RPC proxy None of that in our environment. However, we do still have ADC running, for our old Exchange 5.5 servers. Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Setting up RPC-HTTPS
One of my favorite actors once had this line: Life is tough. Life is tougher if you're stupid. I actually had everything server-side working correctly. My client-side setup and testing was awry, because I was completely blind, and was using NTLM auth, instead of Basic. Once I spotted that, I was done. Immediate success. Halle-freaking-lujah! Kurt On Jan 25, 2008 4:02 AM, [EMAIL PROTECTED] wrote: Sorry Kurt, I was not suggesting that you were incapable of following, merely validating that they have worked for me just following those..with a slight hint of..check for fat fingering. Also did you add the blank line at the end of the registry file when you copied and pasted the reg keys? On all of mine I have the default website selected for require ssl, but I do know many situations where that is not the case. And they force a redirection to https://fqdn.com/exchange Let us know what the event logs turn up. Greg -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 1:35 AM To: MS-Exchange Admin Issues Subject: Re: Setting up RPC-HTTPS On 1/24/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Kurt, I have followed the amset dozens of times and petri at least that many. Works perfectly each time unless I fat finger something. That's something I'm perfectly capable of, and do many times a day. Heh. I assume on the DC you selected in the name you have the RPC Proxy installed. You have confirmed the perms on the IIS for it. Have you confirmed the ssl cert is enabled for the rpc in iis under the site you have the ssl cert installed on. No, the RPC Proxy is on the Exchange server. I've selected Properties for the RPC virtual directory, and under Directory Security/Secure Communications, both Require secure channel (SSL) and the sub-checkbox Require 128-bit enryption are selected. However, in review, I note that the same is not true for the web site itself. Should that be selected? I don't think so, but am not expert in that. If the RPC server you specify in Outlook is not matching the certificate name you installed then it will not connect over RPC. IF you ping the external name of the cert does it resolve internally to your Exch server. If not fix that with DNS then try it. DNS is fine - it resolves both internally and externally, with split DNS. Are there any event logs in the DC or the Exchange server when you attempt to connect? Gad - that's something I'll have to check tomorrow. BY chance do you have Sharepoint Services or Server running on the Exchange server or the DC? If so have you excluded the rpc virtual directory path from SP. If not SP takes over and ruins your life.. A common issue with the error from RPCping, Client is not authorized to ping RPC proxy None of that in our environment. However, we do still have ADC running, for our old Exchange 5.5 servers. Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Setting up RPC-HTTPS
Alas it is always something right in front of your face. I hated those where's waldo books! Glad to hear its up and working. -troy -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 4:42 PM To: MS-Exchange Admin Issues Subject: Re: Setting up RPC-HTTPS One of my favorite actors once had this line: Life is tough. Life is tougher if you're stupid. I actually had everything server-side working correctly. My client-side setup and testing was awry, because I was completely blind, and was using NTLM auth, instead of Basic. Once I spotted that, I was done. Immediate success. Halle-freaking-lujah! Kurt On Jan 25, 2008 4:02 AM, [EMAIL PROTECTED] wrote: Sorry Kurt, I was not suggesting that you were incapable of following, merely validating that they have worked for me just following those..with a slight hint of..check for fat fingering. Also did you add the blank line at the end of the registry file when you copied and pasted the reg keys? On all of mine I have the default website selected for require ssl, but I do know many situations where that is not the case. And they force a redirection to https://fqdn.com/exchange Let us know what the event logs turn up. Greg -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Friday, January 25, 2008 1:35 AM To: MS-Exchange Admin Issues Subject: Re: Setting up RPC-HTTPS On 1/24/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Kurt, I have followed the amset dozens of times and petri at least that many. Works perfectly each time unless I fat finger something. That's something I'm perfectly capable of, and do many times a day. Heh. I assume on the DC you selected in the name you have the RPC Proxy installed. You have confirmed the perms on the IIS for it. Have you confirmed the ssl cert is enabled for the rpc in iis under the site you have the ssl cert installed on. No, the RPC Proxy is on the Exchange server. I've selected Properties for the RPC virtual directory, and under Directory Security/Secure Communications, both Require secure channel (SSL) and the sub-checkbox Require 128-bit enryption are selected. However, in review, I note that the same is not true for the web site itself. Should that be selected? I don't think so, but am not expert in that. If the RPC server you specify in Outlook is not matching the certificate name you installed then it will not connect over RPC. IF you ping the external name of the cert does it resolve internally to your Exch server. If not fix that with DNS then try it. DNS is fine - it resolves both internally and externally, with split DNS. Are there any event logs in the DC or the Exchange server when you attempt to connect? Gad - that's something I'll have to check tomorrow. BY chance do you have Sharepoint Services or Server running on the Exchange server or the DC? If so have you excluded the rpc virtual directory path from SP. If not SP takes over and ruins your life.. A common issue with the error from RPCping, Client is not authorized to ping RPC proxy None of that in our environment. However, we do still have ADC running, for our old Exchange 5.5 servers. Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Setting up RPC-HTTPS
On Jan 25, 2008 4:02 AM, [EMAIL PROTECTED] wrote: Sorry Kurt, I was not suggesting that you were incapable of following, merely validating that they have worked for me just following those..with a slight hint of..check for fat fingering. No slight was inferred - It's always helpful to go back and check things. Also did you add the blank line at the end of the registry file when you copied and pasted the reg keys? Oh, I'm a bad boy! I did for the Exchange reg entry, but not for the DC reg entry. I just fixed that, but it seems not to have made a difference. Same error. On all of mine I have the default website selected for require ssl, but I do know many situations where that is not the case. And they force a redirection to https://fqdn.com/exchange Let us know what the event logs turn up. Nothing that I can detect. Is there something I should be looking for? I syslog everything, and tailed my syslog file during the tests this morning, with no result, filtering either for my ID or my workstation name. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Setting up RPC-HTTPS
All, The usual story, I suppose. Exchange 2003 SP2 on Win2k3 R2 SP2, in a Win2k3 R2 SP2 domain. Can't configure my OL2k3 client to connect via RPC-HTTPS - I've only tried over the LAN so far, but from a different subnet than the Exchange server. I've got a GeoTrust cert for the web site, and OWA works just fine, inside and outside of our company network. (I've got two domain controllers, but am only setting up one for now, until I achieve success with the first. If anyone can point to further diagnostics I should perform after reading the material below, I'd appreciate it. I'm following these links: http://amset.info/exchange/rpc-http.asp http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm and I believe I've followed all of the steps, and rebooted both my Exchange server and my domain controllers. I've added the following to both of my domain controllers: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] NSPI Interface protocol sequences=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,68,00,74,00,74,00,70,00,3a,00,36,00,30,00,30,00,34,00,00,00,00,00 I've added this to my Exchange server (wrapped for readability!): Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] ValidPorts= exchange:593; exchange.mycompany.com:593; exchange:100-5000; exchange.mycompany.com:100-5000; dc:6001-6002; dc.mycompany.com:6001-6002; dc:6004; dc.mycompany.com:6004; dc:593; dc.mycompany.com:593; dc:6001-6002; dc.mycompany.com:6001-6002; dc:6004; dc.mycompany.com:6004; When I start OL2k3 with the /rpcdiag switch, I get nothing even close to what I expect. The login prompt comes up, and the output in the dialog box looks like the following - I'm not going to try to attach a screenshot, so this is the manual ASCII version: Activity Server name Type Interface Conn Status Reg/Fail Avg Resp --- Directory--- Connecting exchange Referral --- Connecting --- Directory--- Connecting exchange Referral --- Connecting It never gets any further. I have used rpcping to test from an XP SP2 machine on another subnet - trying to connect with OL2k3 on that box was successful for all of the listed tests in http://support.microsoft.com/default.aspx?kbid=831051, except for the following: C:\Utilsrpcping -t ncacn_http -s exchange -o RpcProxy=exchange -P kbuff,mycompany,* -I kbuff,mycompany,* -H 2 -u 10 -a connect -F 3 -v 3 -E -R none RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 2 Enter password for server: Enter password for RPC/HTTP proxy: RPCPinging proxy server exchange with Echo Request Packet Sending ping to server Response from server received: 401 Client is not authorized to ping RPC proxy Ping failed. I've changed the RPC-HTTPS tab back and forth under ESM/Administrative Groups/Site/Servers/server/Properties, from Not part... to ... back-end server and rebooted, with no joy. Thoughts? Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Setting up RPC-HTTPS
Kurt, I have followed the amset dozens of times and petri at least that many. Works perfectly each time unless I fat finger something. I assume on the DC you selected in the name you have the RPC Proxy installed. You have confirmed the perms on the IIS for it. Have you confirmed the ssl cert is enabled for the rpc in iis under the site you have the ssl cert installed on. If the RPC server you specify in Outlook is not matching the certificate name you installed then it will not connect over RPC. IF you ping the external name of the cert does it resolve internally to your Exch server. If not fix that with DNS then try it. Are there any event logs in the DC or the Exchange server when you attempt to connect? BY chance do you have Sharepoint Services or Server running on the Exchange server or the DC? If so have you excluded the rpc virtual directory path from SP. If not SP takes over and ruins your life.. A common issue with the error from RPCping, Client is not authorized to ping RPC proxy Greg -Original Message- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Thursday, January 24, 2008 10:54 PM To: MS-Exchange Admin Issues Subject: Setting up RPC-HTTPS All, The usual story, I suppose. Exchange 2003 SP2 on Win2k3 R2 SP2, in a Win2k3 R2 SP2 domain. Can't configure my OL2k3 client to connect via RPC-HTTPS - I've only tried over the LAN so far, but from a different subnet than the Exchange server. I've got a GeoTrust cert for the web site, and OWA works just fine, inside and outside of our company network. (I've got two domain controllers, but am only setting up one for now, until I achieve success with the first. If anyone can point to further diagnostics I should perform after reading the material below, I'd appreciate it. I'm following these links: http://amset.info/exchange/rpc-http.asp http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm and I believe I've followed all of the steps, and rebooted both my Exchange server and my domain controllers. I've added the following to both of my domain controllers: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] NSPI Interface protocol sequences=hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,68,00,74,00,74,00, 70,00,3a,00,36,00,30,00,30,00,34,00,00,00,00,00 I've added this to my Exchange server (wrapped for readability!): Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy] ValidPorts= exchange:593; exchange.mycompany.com:593; exchange:100-5000; exchange.mycompany.com:100-5000; dc:6001-6002; dc.mycompany.com:6001-6002; dc:6004; dc.mycompany.com:6004; dc:593; dc.mycompany.com:593; dc:6001-6002; dc.mycompany.com:6001-6002; dc:6004; dc.mycompany.com:6004; When I start OL2k3 with the /rpcdiag switch, I get nothing even close to what I expect. The login prompt comes up, and the output in the dialog box looks like the following - I'm not going to try to attach a screenshot, so this is the manual ASCII version: Activity Server name Type Interface Conn Status Reg/Fail Avg Resp --- Directory--- Connecting exchange Referral --- Connecting --- Directory--- Connecting exchange Referral --- Connecting It never gets any further. I have used rpcping to test from an XP SP2 machine on another subnet - trying to connect with OL2k3 on that box was successful for all of the listed tests in http://support.microsoft.com/default.aspx?kbid=831051, except for the following: C:\Utilsrpcping -t ncacn_http -s exchange -o RpcProxy=exchange -P kbuff,mycompany,* -I kbuff,mycompany,* -H 2 -u 10 -a connect -F 3 -v 3 -E -R none RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 2 Enter password for server: Enter password for RPC/HTTP proxy: RPCPinging proxy server exchange with Echo Request Packet Sending ping to server Response from server received: 401 Client is not authorized to ping RPC proxy Ping failed. I've changed the RPC-HTTPS tab back and forth under ESM/Administrative Groups/Site/Servers/server/Properties, from Not part... to ... back-end server and rebooted, with no joy. Thoughts? Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Setting up RPC-HTTPS
On 1/24/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Kurt, I have followed the amset dozens of times and petri at least that many. Works perfectly each time unless I fat finger something. That's something I'm perfectly capable of, and do many times a day. Heh. I assume on the DC you selected in the name you have the RPC Proxy installed. You have confirmed the perms on the IIS for it. Have you confirmed the ssl cert is enabled for the rpc in iis under the site you have the ssl cert installed on. No, the RPC Proxy is on the Exchange server. I've selected Properties for the RPC virtual directory, and under Directory Security/Secure Communications, both Require secure channel (SSL) and the sub-checkbox Require 128-bit enryption are selected. However, in review, I note that the same is not true for the web site itself. Should that be selected? I don't think so, but am not expert in that. If the RPC server you specify in Outlook is not matching the certificate name you installed then it will not connect over RPC. IF you ping the external name of the cert does it resolve internally to your Exch server. If not fix that with DNS then try it. DNS is fine - it resolves both internally and externally, with split DNS. Are there any event logs in the DC or the Exchange server when you attempt to connect? Gad - that's something I'll have to check tomorrow. BY chance do you have Sharepoint Services or Server running on the Exchange server or the DC? If so have you excluded the rpc virtual directory path from SP. If not SP takes over and ruins your life.. A common issue with the error from RPCping, Client is not authorized to ping RPC proxy None of that in our environment. However, we do still have ADC running, for our old Exchange 5.5 servers. Kurt ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~