Outlook over http

[Guest]

Hello,

Server

I've a 1 DC W2k3SRV and 1 exch 2k3 SP1.
Add service Rpc over Http

in registry modify the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\
Key name: ValidPort

ExchangeServer:593; ExchangeServerFQDN:593; ExchangeServer:6001-6002; ExchangeServerFQDN:6001-6002; ExchangeServer:6004; ExchangeServerFQDN:6004
in IIS in site by default, remove anonymous access and modify basic authentification in RPC virtual site

in registry add the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
NSPI interface protocol sequences : ncacn_http:6004
Client

My client XP sp1 up to date and outlook 2003
I applie Ms Kb 331320

Create an new Outlook account add the Exchange Server FQDN as the server name. Mark "Use Cache...."

In connection tab, add the exchange Server FQDN in the URL field.
mark "On fast networks, connect using HTTP first, then TCP/IP and
On slow networks, connect using HTTP first, then connect using TCP/IP"

In proxy authentication settings, use NTLM authentification


The PB i have is that once I be authenticated by the login screen, the same login screen start to loop without stopping so i have to re-do the authentication indefinitly.

Does anyone experienced the same error. I don't think it's a BUG but configuration error.

Thanks in advance

(e-mail address removed)

 

[Jamelia]

I think you should change your proxy authentication setting to Basic Authentication

Jamelia


Hello,

Server

I've a 1 DC W2k3SRV and 1 exch 2k3 SP1.
Add service Rpc over Http

in registry modify the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\
Key name: ValidPort

ExchangeServer:593; ExchangeServerFQDN:593; ExchangeServer:6001-6002; ExchangeServerFQDN:6001-6002; ExchangeServer:6004;
ExchangeServerFQDN:6004
in IIS in site by default, remove anonymous access and modify basic authentification in RPC virtual site

in registry add the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
NSPI interface protocol sequences : ncacn_http:6004
Client

My client XP sp1 up to date and outlook 2003
I applie Ms Kb 331320

Create an new Outlook account add the Exchange Server FQDN as the server name. Mark "Use Cache...."

In connection tab, add the exchange Server FQDN in the URL field.
mark "On fast networks, connect using HTTP first, then TCP/IP and
On slow networks, connect using HTTP first, then connect using TCP/IP"

In proxy authentication settings, use NTLM authentification


The PB i have is that once I be authenticated by the login screen, the same login screen start to loop without stopping so i have to
re-do the authentication indefinitly.

Does anyone experienced the same error. I don't think it's a BUG but configuration error.

Thanks in advance

(e-mail address removed)

 

[Guest]

I tried this configuration and i encountered the same pb.
When I setting in Outlook Basic Authentification,the url changes to HTTPS and i want it to authentificate in HTTP.

Do you have other suggestions.
Thanks

 

[Jamelia]

No other then have a look at Microsofts Whitepaper "Exchange Server 2003 RPC over HTTP Deplayment Scenarios". You can download it at
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3rpc.mspx

Jamelia


I tried this configuration and i encountered the same pb.
When I setting in Outlook Basic Authentification,the url changes to HTTPS and i want it to authentificate in HTTP.

Do you have other suggestions.
Thanks

 

[neo [mvp outlook]]

The default configuration for the RPC/HTTP proxy under IIS does not allow
anonymous access. Therefore you need to change the configuration in the IIS
snapin and accept the consequences that you are lowering security and
exposing the network to some risk.

Outside of that and since you are running Win2k3 internally, you really
should setup an internal certificate authority if you can't afford to
purchase public certificates. Just remember that if you go this route, all
machines must have a copy of the root certificate installed on them. (The
RPC/HTTP component needs to be able to verify the web server certificate +
every certificate above it to the signing certificate authority.)

I tried this configuration and i encountered the same pb.
When I setting in Outlook Basic Authentification,the url changes to HTTPS

and i want it to authentificate in HTTP.

 

[neo [mvp outlook]]

Oops... forgot to tell you that there is an allowanonymous registry value
for the RPCProxy as well..
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp
should be helpful as to explain what is going on by default when this key is
missing or set to a non-zero value.

I set the IIS Directory Security to Anonymous and cleared all other type

of Authentication. But i still have the same PB "an endless Authentication
requests for the Exchange server" The CA is my OWA (Front-end) so how to let
the Back-end as well the clients to verify the signed certificate.

 

[Guest]

Dear;

The following procedures did not resolve the issue of endless authentification screens. It's not normal that MS cannot produce a functional step-by-step guide for the deployment of Outlook over HTTP. This new feature is well demanded by many clients and till today i did'nt see a working configuration.

Any way thanks for your help. May be it'll be OK with the newt service pack ;-)

 

[Jamelia]

The RPC Directory should NOT be configured with anonymous access. I really think you should read the whitepaper from Microsoft (se
my earlier post).It really has some good information on how to configure both the Server and the Client side.

To configure the RPC over HTTP virtual directory
1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS)
Manager.

2. In Internet Information Services (IIS) Manager, in the console tree, expand the server you want, expand Web Sites, expand
Default Web Site, right-click the RPC virtual directory, and then click Properties.

3. In RPC Virtual Directory Properties page, on the Directory Security tab, in the Authentication and access control pane,
click Edit.

4. On the Authentication Methods window, verify that the check box next to Enable anonymous access is cleared.

Note RPC over HTTP does not allow anonymous access by default despite what the user interface shows.

5. On the Authentication Methods window, under Authenticated access, select the check box next to Basic authentication
(password is sent in clear text), and ensure the check box next to Integrated Windows authentication (NTLM) is checked, and then
click OK.

6. To save your settings, click Apply, and then click OK.

7. Ensure that you have a valid SSL certificate installed on the virtual server



Your RPC virtual directory is now ready to use Basic and NTLM authentication.



Jamelia





Dear;

The following procedures did not resolve the issue of endless authentification screens. It's not normal that MS cannot produce a
functional step-by-step guide for the deployment of Outlook over HTTP. This new feature is well demanded by many clients and till
today i did'nt see a working configuration.

Any way thanks for your help. May be it'll be OK with the newt service pack ;-)

 

[Guest]

Dear;
This is exactly what I configured on the Front-end server. And when we test this configuration via the URL https:\\x.y.D.Z\rpc I have the 403.2 error msg.
But via Outlook i still have the same PB.

 

[Jamelia]

Can you tell me why you have added ExchangeServer:593; ExchangeServerFQDN:593 in HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\
?

Jamelia


Dear;
This is exactly what I configured on the Front-end server. And when we test this configuration via the URL https:\\x.y.D.Z\rpc I
have the 403.2 error msg.
But via Outlook i still have the same PB.

 

[Guest]

I did it according to the following document:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp

Do you have another idea?

 

[Jamelia]

Because I found you problem a bit interesting I decided to set up RPC over HTTP in a test environment with one W2k3DC/GC and one
Exchange Server 2003SP1 installed on a Member Server.


This is how I got RPC over HTTP(S) to work:

Installed a CA Enterprise on my GC
Installed RCP over HTTP on the Exchange Server
Added a certificate on the Default Web Site with the common name ExchangeserverFQDN
Removed Anonymous Access and added Basic Authentication on the RPC Virtual Directory

In registry on my ExchangeServer I modified the key ValidPort under HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy\ with the
following value

ExchangeserverNetBIOS:593;ExchangeserverFQDN:593;ExchangeserverNetBIOS:6001-6002;ExchangeserverFQDN:6001-6002;ExchangeserverNetBIOS:
6004;ExchangeserverFQDN:6004;GCNetBIOS:593;GCFQDN:593;GCNetBIOS:6004;GCFQDN:6004

In the registry on my GC I added a Multi-String Value with the name "NSPI interface protocol sequences" and value ncacn_http:6004
under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

For the proxy authentication settings in my Outlook Profile I used Basic Authentication.


You haven't added the settings for your GC in the key validport and that may be the reason for the problems you are having. Hope
this will help.

Jamelia

 

[td]

Jamelia,

Since SP1 you don't need to enter the 593 or even the GC at all. The
validports key is entered automatically anyway every 15 minutes.

However, I have another problem.
We migrated from a Windows 2000 - Exchange 2000 FE/BE configuration to
Windows 2003 - Exchange 2003. Went like a charm.
Now we want to use the RPC over HTTP so I made sure we were on
Exchange 2003 SP1 for both machines. I set my BE server to be BE for
RPC over HTTP. I set my FE server to be FE for RPC over HTTP.
My OWA is working normally. Certificate is ok.
* https://publicname/rpc is returning the expected result.
* rpcping to the RPC Proxy server (with the -E switch) returns 200
(OK)
* rpcping to the BE server (ex. with -e 6001) returns nothing. It is
just waiting. Which is the same we experience when trying to connect
through outlook. In the connections status windows the status remains
on 'connecting' but nothing happens.
* netstat -a on the BE server shows ports 6001, 6002 and 6004
listening.
* The FE is located in the DMZ but the FW shows no dropped packets.
* Before migrating our production systems, I did setup a test
environment, where I went through the complete migration +
configuration of RPC/HTTPs, without having encountered this problem.

Is there anyway to further troubleshoot this problem ?
Any help would be greatly appreciated.

Toon.