Monday, February 19, 2007

RPC over HTTPS Problems

I had a problem that I just couldn't solve - check out my google group post:

I'm absolutely stuck. I've been through almost every knowledgebase
article i've found and along the way fixed every error i've come
across (which has pretty much been all of them). I've got a single
exchange server enabled for RPC over HTTPS. I've got a self signed ssl
certificate created via the IIS resource kit using Self SSL which I
have trusted and is called the same as my external url to my owa
server.

I can navigate to owa without getting prompted with certificate
information, and I can go to http:///rpc where i get prompted for
username and password which fails after third attempt where i get an
error: HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL
set on the requested resource.

I've read that even though this error isn't the standard error i
should get, it should not prove to be a problem. I've done an rpc ping
with the following commands:

rpcping -t ncacn_http -s exch_server_name -o RpcProxy=external_url -P
"user,domain,*" -I "user,domain,*" -H 1 -u 10 -a connect -F 3 -v 3 -E -
R none

rpcping -t ncacn_http -s exch_server_name -o RpcProxy=external_url -P
"user,domain,*" -I "user,domain,*" -H 1 -F 3 -a connect -u 10 -v 3 -e
6002

rpcping -t ncacn_http -s exch_server_name -o RpcProxy=external_url -P
"user,domain,*" -I "user,domain,*" -H 1 -F 3 -a connect -u 10 -v 3 -e
6001

rpcping -t ncacn_http -s exch_server_name -o RpcProxy=external_url -P
"user,domain,*" -I "user,domain,*" -H 1 -F 3 -a connect -u 10 -v 3 -e
6004

all come back fine. When connecting i can see Outlook trying to
connect via port 443 (using Active Ports) but nothing at all happens.
When i run outlook /rpcdiag all i see is it trying to connect, but
nothing else.

The server setup is:

1 x Windows 2003 SBS Server - does have exchange 2003 sp2, but is not
running any part of Rpc over HTTPS - we are slowly decomissioning it.
- DC and GC
1 x Windows 2003 R2 Server - Exchange 2003 SP2 - Rpc over HTTPs server
1 x Windows 2003 x64 Server - DC and GC

<

If you get this far and everything is fine, one thing I didn't check were the firewall rules on the client PC. The firewall was allowing connections out from Outlook, but not back in!!! Such a schoolboy thing to do, but didn't believe it. I was using Kerio firewall, but it just wasn't warning me about incoming connections!!!! Frustrating!!!

Also - if using SelfSSL as with the IIS6 Resource Kit, bear in mind teh default certificate is only for 7 days. You can increase this with the /V switch. Check ou tthis site for a great tutorial:

http://www.visualwin.com/SelfSSL/

No comments: