Re: Help with RPC over HTTP and requests for Credentials

From: Daren DiClaudio (duomenox_at_newsgroups.nospam)
Date: 01/13/05

• Next message: Evan Dodds [MSFT]: "Re: SSL Sending via IMAP Configuration?"
• Previous message: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• In reply to: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• Next in thread: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• Reply: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• Messages sorted by: [ date ] [ thread ]

Date: Thu, 13 Jan 2005 15:56:32 -0700

Strange, they why do the 20 other sites I am working with not prompt me?

I have taken the vpn offline at the store I am currently working on to make
sure all traffic runs throught the RPC over HTTP setup. I have done this to
another store that is working without prompting for the password as well, to
test the functionality of RPC over HTTP and making sure the store is not
reliant upon the VPN being up to have the ability to interact with their
mail. It works great at the "test" store, but still prompts me at the
"problem" store.

My goal is to not prompt for credentials. That is another reason I am using
NTLM Auth instead of Basic. I am 99% sure it is an issue on the client
machine becuase the other stores do not have to provide their passwords to
connect.

I am confused as to why using NTLM auth over a VPN would cause issues? The
VPN equipment we use is transparent and the client machine can talk directly
to the internal IP Address of the Domain Controller. When using RPC over
HTTP, the client machine will just connect to the public IP address that
belongs to the mail cunstions of the Domain Controller and run the RPC
conmands over the HTTPS tunnel... or at least that is how I thought it was
working at the other stores.

Any idea why this is one of only 5 stores that are exhibiting this behavior?
All 25 stores have XP SP2, MS Office 2003 SBS edition with all the updates
applied, and do not rely on the VPN to interact with their e-mail. Just 5 of
those stores keeps prompting for a password.

Hehe, I am almost bald from this problem :-P

Thanks for your help, I appreciate that someone is responding to my posts.

"Tim Hackbart [MSFT]" <Timhack@online.microsoft.com> wrote in message
news:eBe3QEc%23EHA.2596@tk2msftngp13.phx.gbl...
> Ok, I gotcha..
>
> So you can connect when you supply the correct credentials, I thought you
> were NOT able to connect, even after supplying credentials.
>
> In that case I do think it may be an issue with the VPN and the Domain
> Authentication interacting with both the Auth on the RPC Virtual Directory
> and Auth for Exchange.
>
> Setting Outlook and RPC to use Basic Auth will of course prompt you for
> credentials, then it should work,
>
> I have seen that using Basic Authentication is by far the most robust
> solution, and the one we use here at Microsoft. Using NTLM with VPN can
> cause issues as we are not totally in charge of the credentials that are
> sent. I have seen where the incorrect credentials are sent using NTLM, so
> we go to Basic only on the RPC Virtual Directory, then Always Prompt and
> only use NTLM on the Ol2003 client, and that works. You will be prompted,
> but then you are totally in charge of the credentials sent to the server.
>
>
> --
> Tim Hackbart M.C.S.E.
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> Please do not send email directly to this alias. This alias is for
> newsgroup
> purposes only.
>
> "Daren DiClaudio" <duomenox@newsgroups.nospam> wrote in message
> news:ea0mL0b#EHA.3616@TK2MSFTNGP11.phx.gbl...
>>
>> I will get you more info a little later, but as soon as I try to connect
> to
>> the server is when it asks. I can run outlook in offline mode just fine.
>>
>> I use NTLM authentication at all my sites (eventhough RPC over HTTP
> requires
>> SSL I still like having the added protection) The server and clients are
> all
>> set up to accept NTLM Authentication. I tried using Basic Auth as a
>> tshoot
>> measure but it didn't change the request for username/password (which if
>> I
>> manually supply it, outlook connects without a problem).
>>
>> Just a little frusterating :-)
>>
>>
>>
>>
>> "Tim Hackbart [MSFT]" <Timhack@online.microsoft.com> wrote in message
>> news:uqJEevb%23EHA.3820@TK2MSFTNGP11.phx.gbl...
>> > What are your Authentication settings on the RPC virtual Directory in
> the
>> > ISM.
>> >
>> > Also what are your settings in Outlook 2003 for Authentication.
>> >
>> > How far do you get into the Outlook session?
>> > If you launch Outlook with \rpcdiag switch, what do you see in the
>> > connection status dialog box?
>> > 827330 How to troubleshoot client RPC over HTTP connection issues in
>> > Office
>> > http://support.microsoft.com/?id=827330
>> >
>> > I am curious if we are getting past the RPC Proxy Server and then the
>> > Exchange Server is the one that does not like your Credentials.
>> >
>> > --
>> > Tim Hackbart M.C.S.E.
>> > This posting is provided "AS IS" with no warranties, and confers no
>> > rights.
>> >
>> > Please do not send email directly to this alias. This alias is for
>> > newsgroup
>> > purposes only.
>> >
>> > "Daren DiClaudio" <duomenox@newsgroups.nospam> wrote in message
>> > news:#1SaRpb#EHA.2192@TK2MSFTNGP14.phx.gbl...
>> >>
>> >> They do not use a proxy of any sort.
>> >>
>> >> Each location has a direct connection to the internet through a
>> > transparent
>> >> firewall and connects to a public IP address for their server cia a
>> >> DSL
>> > line
>> >> at each location.. It is as direct as you can go.
>> >>
>> >> They can use OWA and I have installed the certificate and added the
> FQDN
>> >> into the trusted internet sites catagory in IE's security (that is how
> I
>> > set
>> >> up the 20 other sites).
>> >>
>> >> I have researched this to death, I cannot seem to find what could be
>> > causing
>> >> the issue. The only thing I can guess is that there is some obscure
>> > registry
>> >> setting that is affecting the use of the current credentials (they are
>> > still
>> >> logging into the domain via the VPN).
>> >>
>> >> Any other ideas?
>> >>
>> >> Thanks you.
>> >>
>> >>
>> >> "Tim Hackbart [MSFT]" <Timhack@online.microsoft.com> wrote in message
>> >> news:ulPNUca%23EHA.2680@TK2MSFTNGP09.phx.gbl...
>> >> > Daren
>> >> >
>> >> > What are the Proxy/Web Access differences from the 5 locations that
> do
>> > not
>> >> > work?
>> >> >
>> >> > I have seen that in locations that require you to provide
>> >> > authentication
>> >> > to
>> >> > a Web Proxy to access the Internet, this will cause Rpc over Http to
>> > fail.
>> >> > So check to see if these locations have Web Proxies that require
>> >> > authentication.
>> >> >
>> >> > Also make sure that you can access OWA using SSL from these
> locations,
>> >> > that
>> >> > will ensure that you have a good SSL and TCP connection to the Web
>> > Server.
>> >> >
>> >> > My guess is that it is a Web Proxy Authentication issue, and
> currently
>> >> > there
>> >> > is no workaround except to modify the web proxy to NOT prompt for
>> >> > credentials.
>> >> >
>> >> > Let me know if this helps.
>> >> >
>> >> > --
>> >> > Tim Hackbart M.C.S.E.
>> >> > This posting is provided "AS IS" with no warranties, and confers no
>> >> > rights.
>> >> >
>> >> > Please do not send email directly to this alias. This alias is for
>> >> > newsgroup
>> >> > purposes only.
>> >> >
>> >> > "Daren DiClaudio" <duomenox@newsgroups.nospam> wrote in message
>> >> > news:uykL4DZ#EHA.1564@TK2MSFTNGP09.phx.gbl...
>> >> >> Alright,
>> >> >>
>> >> >> I have this set up at about 25 total locations, 20 of which are
>> >> >> working
>> >> >> flawlessly. The other 5... well please let me know if you can help!
>> >> >>
>> >> >> I have each location logging into a domain accross a VPN. I have
>> >> > implemented
>> >> >> RPC over HTTP to minimize the load on the VPN equipment. The issue
> is
>> >> >> that
>> >> >> at 5 of these sites, they keep asking for the logon credentials
>> >> >> when
>> > you
>> >> > go
>> >> >> into Exchange.
>> >> >>
>> >> >> I have installed the certificate from the server, I have made sure
>> >> >> that
>> >> > the
>> >> >> terminals are using credentials that have not expired. If I allow
> the
>> >> >> terminals to connect using the normal RPC method that would require
>> >> >> the
>> >> > use
>> >> >> of the VPN it works fine, I am pulling my hair out trying to figure
>> >> >> out
>> >> > this
>> >> >> issue.
>> >> >>
>> >> >> I suspect it has something to do with a registry setting or other
>> >> >> configuration issue that I have not been able to find i the last
> month
>> > or
>> >> >> so. I have experience with setting this up correctly, but there is
>> >> > something
>> >> >> else wrong.
>> >> >>
>> >> >> Any and all suggestions will be appreciated.I have searched the
>> >> >> newsgroups
>> >> >> for possible answers to my issue and the posted responces to
> previous
>> >> >> questions did not resolve my issue.
>> >> >>
>> >> >> Again, thank you for your help.
>> >> >>
>> >> >> Daren
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

• Next message: Evan Dodds [MSFT]: "Re: SSL Sending via IMAP Configuration?"
• Previous message: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• In reply to: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• Next in thread: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• Reply: Tim Hackbart [MSFT]: "Re: Help with RPC over HTTP and requests for Credentials"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint