Re: RPC over HTTPS - need help!

From: Mark Arnold [MVP] (mark_at_mvps.org)
Date: 08/06/04 

Date: Fri, 06 Aug 2004 13:28:20 +0100

"Boris Lokhvitsky" <msexpert@gmail.com> wrote:

>Hello All,
>
>I need help with making RPC over HTTPS working... Seems I've done all
>necessary steps, but Outlook still keeps failing over to TCP/IP connection
>instead of using HTTPS. I've read tons of KB articles, sometimes
>contradictive :) but it didn't help...
>
>Environment:
>- W2K3 based DC and GC server
>- W2K3 with E2K3 SP1 for the front-end and RPC proxy
>- W2K3 with E2K3 SP1 for the back-end
>- WinXP SP1 with Office 2003 and Outlook patch for the client
>
>What I did:
>1. Installed a Microsoft CA on the DC, added templates for Exchange;
>requested certificates for Web server on the front-end Exchange; configured
>IIS to require SSL on /Exchange and /Public virtual directories; enrolled
>clients and installed client certificates for using digital IDs and mail
>encryption;
>2. Configured automatic redirection of all OWA HTTP requests to HTTPS as
>described in KB 839357.
>At this stage, OWA over HTTPS is working fine. Clients can connect to any
>server and are being redirected to SSL session with the back-end server
>seamlessly. "Back-end" is still just a term at this moment, both servers
>have equal rights so far.
>Mail encryption and digital signatures also seem to work fine.
>3. Designated this Exchange server as a front-end (checkbox in server
>properties). Now - I guess - I have the front-end - back-end topology
>working.
>4. Installed RPC Proxy component on the front-end server.
>5. Configured front-end server as RPC Proxy and back-end server as RPC Proxy
>back-end (radiobox in server properties)
>6. Added a registry setting for NSPI proxy interface in the NTDS service
>properties on the Global Catalog. Verified that it is now listening on port
>6004.
>7. Verified that the front-end server registry settings for the Valid Ports
>(Software\Microsoft\RPC\RPCProxy) list ports 6001-6002 and 6004 of the
>back-end server. Contrary to what MS KB articles say, these settings cannot
>be changed - Exchange overwrites them with what it considers correct during
>next DSAccess sync attempt. Well, I guess this is a correct behavior.
>8. Configured RPC virtual directory on the IIS to require SSL and to use
>basic authentication plus integrated Windows authentication.
>9. Configured Outlook client to use Exchange over Internet proxy. Specified
>front-end server's FQDN as both proxy address and mutual authentication
>server's address (used "msstd:" prefix for the latter). Selected both
>checkboxes for the fast and slow networks connection priority. Configured to
>use basic authentication.
>
>I believe that's pretty much it. Now what I see is: when the client
>connects, it tries to establish the HTTPS session - for some reason, to the
>back-end (???); there are also two connecting attempts to teh Directory,
>without specifying a server name yet. When I enter the username/password (I
>configured Outlook to use basic authentication specifically to have this
>prompt), it immediately fails over the TCP/IPconnection to both Exchange
>back-end and GC servers.
>
>What did I do wrong and what must I do to make the whole thing working?
>
>Please help. Thanks a lot in advance!
>
>Boris Lokhvitsky, MCSE 2003/2000/NT
>

I've battles through this and the first question I need to ask of you
is around the certificates.
Are the PC's on the same domain as the Exchange server?
Do the PCs on which you are attempting access from have the Root
Certificate and Server certificate loaded?

If you don't have the certificate loaded then you will not get access
to RPC over HTTPS.
If you use OWA do you get the old box with the 3 questions about
certificate trustworthiness, date validity and name validity? OWA will
pop that box up and let you say yes, RPC over HTTPS, like ActiveSync
will not give you that box and will refuse to connect.

Mark Arnold MCSA MCSE+M MVP,
FAQ: http://www.swinc.com/resource/exchange.htm
Blog: http://www.msexchange.me.uk

Relevant Pages

  • RE: RPC over HTTPS - connection yes, sync. no
    ... managemnet console and this one can use RPC over HTTPS without any problems. ... I.Please check your certificate on the server according to the following ... The Valid to field indicates the date until which the certificate is valid. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook 2003 cant see Exch 2003 over RPC
    ... To help you troubleshoot RPC try RPC Ping, ... working on the LAN side is my priority rather than the external HTTPS ... server endpoints and let me see what it's trying to do and perhaps what's ... You stated you did get RPC over HTTP to work for a while when the SBS ...
    (microsoft.public.exchange.setup)
  • RE: RPC over HTTPS failing
    ... Once I added both the site and the certificate to the workstation it worked ... Based on my knowledge, in most cases, the RPC over HTTPS issue of the SBS ... When we connect to the SBS server through RPC over HTTPS, ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook 2003 cant see Exch 2003 over RPC
    ... Can I ask a simple question, why are you wanting to run RPC over HTTPs on ... To help you troubleshoot RPC try RPC Ping, ... server endpoints and let me see what it's trying to do and perhaps what's ... You stated you did get RPC over HTTP to work for a while when the SBS ...
    (microsoft.public.exchange.setup)
  • Re: RPC over HTTPS - need help!
    ... The reason was - on the front-end server (which ... automatically during the RPC over HTTP setup? ... >> Certificate and Server certificate loaded? ... >> pop that box up and let you say yes, RPC over HTTPS, like ActiveSync ...
    (microsoft.public.exchange.setup)