RE: RPC over HTTP authentication woes
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 17 Nov 2005 15:03:18 -0600
My guess is that the To tab and the certs don't match up.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 2:56 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> That code is a WinError:
> "The specified network name is no longer available"
>
> This means the connection between the ISA and the Exch has
> been broken.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 12:51
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> The ISA log has 64 for HTTP status code and 0xa03 for error
> information.
> there's just a "-" in the filter information field.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 3:33 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> What's the code for the "failed" connection?
> What's in the "Filter data" field for the failed connection?
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 12:27
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> I'm seeing 200's in the W3SVC1 logs on the Exchange front end server.
>
> On the ISA server logs I see two "initated connection" HTTPS
> entries from ISA to FE.
>
> These are immediately followed by the "allowed connection"
> (RPC_OUT_DATA) and "failed connection" (RPC_IN_DATA) attempt
> log entries from my "RPC over HTTP" rule.
>
> Finally, two "Closed connection" entries for the HTTPS connections.
>
> Then the whole thing repeats as it tries to connect again.
>
> I'm thinking something is still screwed up with my ISA
> configuration; RPC over HTTP is working internally.
>
> Jeff
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 11:44 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> ..maybe - it depends on the error code.
> If you're seeing "200", then it's coming from the Exch server.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 07:50
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> same rule; is the data in the error code information column
> on the ISA logs the value it is getting back from rpcproxy.dll?
>
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, November 16, 2005 6:15 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> Unless you see different rules quoted for each, now you're
> troubleshooting Exchange...
> ..
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Wednesday, November 16, 2005 15:12
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> Thanks Jim, I knew 200 was a good thing, so hoped I was
> making some progress.
>
> I'm running outlook with the rpcdiag switch on the client.
> Upon launching, Outlook prompts me for credentials and I and
> see status of "connecting" for the exchange proxy and the
> directory in the server connection status dialog.
> These disappear after a little while and I get the "your
> exchange server is unavailable" dialog.
>
> On the proxy server logs, I'm seeing "Failed Connection
> Attempt" on the RPC_IN_DATA queries and "Allowed Connection"
> on the RPC_OUT_DATA URL.
>
> Jeff
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, November 16, 2005 5:39 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> Er..
>
> Result codes of "200" are success codes.
> What exactly is the client experience?
> Whjat do you find in the ISA logs for those recent tests?
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Wednesday, November 16, 2005 14:32
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> Tom,
>
> I had it set for all users. I tried switching it to only
> authenticated & forward basic authentication and did get 200
> result codes in the front end server WWW logs, but it is
> still failing.
>
> Thanks,
> Jeff
>
> ________________________________
>
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Wednesday, November 16, 2005 4:50 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
>
> http://www.ISAserver.org
>
> Hi Jeff,
>
> Are you forcing authentication at the ISA firewall, or does
> the Web Publishing Rule allow access to "all users"?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP
> -- ISA Firewalls **Who is John Galt?**
>
>
>
>
> ________________________________
>
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Wednesday, November 16, 2005 3:42 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RPC over HTTP authentication woes
>
>
> http://www.ISAserver.org
>
>
> I have ISA 2004 sitting on the outside, with rules to
> allow RPC over HTTP access to the Exchange FE server. I
> think this is all configured OK.
> RPC over HTTP is working OK internally. I also have OWA
> working using a different listener (FBA).
>
> Whenever I try to make an external RPC connection it is failing.
> I'm seeing my username shown in the ISA logs, but in the WWW
> logs for the exchange proxy server I am seeing entries with
> status 401.2 and win32 error 2148074254, so I think something
> is wrong with the user authentication.
> from the logs (with time/date and ip info removed):
>
> RPC_IN_DATA /rpc/rpcproxy.dll
> frontend.andassoc.com:6002 443 - xxx.xxx.xxx.xxx MSRPC 401 2
> 2148074254
> RPC_OUT_DATA /rpc/rpcproxy.dll
> frontend.andassoc.com:6002 443 - xxx.xxx.xxx.xxx MSRPC 401 2
> 2148074254
>
> I have the RPC listener set to use basic authentication
> as well as the exchange IIS rpc virtual directory. The RPC
> listener also has a certificate bearing the FQDN of the
> exchange front end server.
>
> Any help appreciated. This might not be an ISA issue
> since I seem to be reaching the internal Exchange proxy.
>
> Jeff
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List
> as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
