RE: RPC over HTTP authentication woes
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 17 Nov 2005 20:38:11 -0600
Sounds like my daughter. I never knew anyone who could talk non-stop for
three hours and not say anything I remember. :)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 7:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> Oh; she is...
> ..until she starts to tell a story.
> It's a verbal roller coaster if ever there was one...
> :-0
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, November 17, 2005 17:49
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RPC over HTTP authentication woes
>
> http://www.ISAserver.org
>
> LOL! See, I was convinced that she was a very pleasant and
> polite girl.
> I'll get you back by enjoying her stories.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, November 17, 2005 7:39 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: RPC over HTTP authentication woes
> >
> > http://www.ISAserver.org
> >
> > I'll just wait till you come back in Jan and make you listen to my
> > daughter tell a story...
> > ..it's painful...
> > :-p
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Thursday, November 17, 2005 17:27
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: RPC over HTTP authentication woes
> >
> > http://www.ISAserver.org
> >
> > Hi Jeff,
> >
> > Ho boy.
> >
> > That is a very old article that I really need to update. It was
> > written in the days when you couldn't find information on how to
> > confiugre RPC/HTTP anywhere on the Microsoft site, except for some
> > cr*p references from the Office team (who understand
> networking like I
> > understand hog farming).
> >
> > Anyhow, the client configuration section in that article is weak at
> > best, incompetant at closer to the truth. If you look at
> the log file
> > entries, you'll see that the connection is made to the
> EXCHANGE2003BE
> > machine, which is the malibox server, not the FE machine. I
> showed the
> > name of the FE Exchange Server because that is how the
> client accesses
> > the RPC/HTTP proxy, which was kind enough to find the name
> of the BE
> > Exchange Server, but I didn't show that process.
> >
> > So, my bad. The name of the RPC proxy should be put in the proxy
> > sections, and the mailbox server should be placed in the
> SERVER NAME
> > section of the client.
> >
> > Jim can now beat we a Mullen noodle.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > Sent: Thursday, November 17, 2005 7:01 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > >
> > > http://www.ISAserver.org
> > >
> > > OK, since our favorite firewall has been exonerated, can I
> > step into
> > > OT land for a second and ask "would my likely suspect be
> > the front end
> > > exchange server?"
> > >
> > > I was going by this to configure outlook:
> > > http://www.msexchange.org/tutorials/outlookrpchttp.html
> > >
> > > Thanks,
> > > Jeff
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Thursday, November 17, 2005 7:13 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > >
> > > http://www.ISAserver.org
> > >
> > > ARRRGGG!
> > >
> > > I should have realized the fact that 99% of the time its
> not an ISA
> > > firewall problem!
> > >
> > > Thanks for the update.
> > >
> > > Jim wins again :)
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 4:33 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > I got it working, but I'm not sure precisely why it
> > wasn't working.
> > > >
> > > > I noticed that there was nothing in the FE IIS logs going
> > to the BE
> > > > server.
> > > >
> > > > In my Outlook profile I changed the mailbox server to the
> > > name of the
> > > > BE server on which my mailbox physically resides and it worked!
> > > > Previously, I
> > > > had the FE server listed. I thought the FE would be able
> > > to look up
> > > > where the mailbox really is and redirect me. Is this what
> > > is supposed
> > > > to happen?
> > > >
> > > > Jeff
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 4:08 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Nah - that's a 500 response from ISA.
> > > > What does the IIS log contain for the "RPC_IN_DATA" connections?
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > Sent: Thursday, November 17, 2005 13:03
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > My guess is that the To tab and the certs don't match up.
> > > >
> > > > Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://spaces.msn.com/members/drisa/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > > **Who is John Galt?**
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > > Sent: Thursday, November 17, 2005 2:56 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > That code is a WinError:
> > > > > "The specified network name is no longer available"
> > > > >
> > > > > This means the connection between the ISA and the
> Exch has been
> > > > > broken.
> > > > >
> > > > > -------------------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > -------------------------------------------------------
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > > Sent: Thursday, November 17, 2005 12:51
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > The ISA log has 64 for HTTP status code and 0xa03 for error
> > > > > information.
> > > > > there's just a "-" in the filter information field.
> > > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > > Sent: Thursday, November 17, 2005 3:33 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > What's the code for the "failed" connection?
> > > > > What's in the "Filter data" field for the failed connection?
> > > > >
> > > > > -------------------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > -------------------------------------------------------
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > > Sent: Thursday, November 17, 2005 12:27
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > I'm seeing 200's in the W3SVC1 logs on the Exchange front
> > > > end server.
> > > > >
> > > > > On the ISA server logs I see two "initated connection"
> > > > HTTPS entries
> > > > > from ISA to FE.
> > > > >
> > > > > These are immediately followed by the "allowed connection"
> > > > > (RPC_OUT_DATA) and "failed connection" (RPC_IN_DATA)
> > attempt log
> > > > > entries from my "RPC over HTTP" rule.
> > > > >
> > > > > Finally, two "Closed connection" entries for the HTTPS
> > > connections.
> > > > >
> > > > > Then the whole thing repeats as it tries to connect again.
> > > > >
> > > > > I'm thinking something is still screwed up with my ISA
> > > > configuration;
> > > > > RPC over HTTP is working internally.
> > > > >
> > > > > Jeff
> > > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > > Sent: Thursday, November 17, 2005 11:44 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > ..maybe - it depends on the error code.
> > > > > If you're seeing "200", then it's coming from the Exch server.
> > > > >
> > > > > -------------------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > -------------------------------------------------------
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > > Sent: Thursday, November 17, 2005 07:50
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > same rule; is the data in the error code information column
> > > > on the ISA
> > > > > logs the value it is getting back from rpcproxy.dll?
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > > Sent: Wednesday, November 16, 2005 6:15 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Unless you see different rules quoted for each, now you're
> > > > > troubleshooting Exchange...
> > > > > ..
> > > > >
> > > > > -------------------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > -------------------------------------------------------
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > > Sent: Wednesday, November 16, 2005 15:12
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Thanks Jim, I knew 200 was a good thing, so hoped I was
> > > making some
> > > > > progress.
> > > > >
> > > > > I'm running outlook with the rpcdiag switch on the client.
> > > > > Upon launching, Outlook prompts me for credentials and
> > I and see
> > > > > status of "connecting" for the exchange proxy and the
> > > > directory in the
> > > > > server connection status dialog.
> > > > > These disappear after a little while and I get the
> > "your exchange
> > > > > server is unavailable" dialog.
> > > > >
> > > > > On the proxy server logs, I'm seeing "Failed Connection
> > > Attempt" on
> > > > > the RPC_IN_DATA queries and "Allowed Connection"
> > > > > on the RPC_OUT_DATA URL.
> > > > >
> > > > > Jeff
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > > Sent: Wednesday, November 16, 2005 5:39 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Er..
> > > > >
> > > > > Result codes of "200" are success codes.
> > > > > What exactly is the client experience?
> > > > > Whjat do you find in the ISA logs for those recent tests?
> > > > >
> > > > > -------------------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > -------------------------------------------------------
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > > Sent: Wednesday, November 16, 2005 14:32
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Tom,
> > > > >
> > > > > I had it set for all users. I tried switching it to only
> > > > > authenticated & forward basic authentication and did get
> > > 200 result
> > > > > codes in the front end server WWW logs, but it is
> still failing.
> > > > >
> > > > > Thanks,
> > > > > Jeff
> > > > >
> > > > > ________________________________
> > > > >
> > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > > > Sent: Wednesday, November 16, 2005 4:50 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: RPC over HTTP authentication woes
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Hi Jeff,
> > > > >
> > > > > Are you forcing authentication at the ISA firewall, or
> > > does the Web
> > > > > Publishing Rule allow access to "all users"?
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org <http://www.isaserver.org/>
> > > > > Blog: http://spaces.msn.com/members/drisa/
> > > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP
> > > > > -- ISA Firewalls **Who is John Galt?**
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ________________________________
> > > > >
> > > > > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> > > > > Sent: Wednesday, November 16, 2005 3:42 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RPC over HTTP authentication woes
> > > > >
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > >
> > > > > I have ISA 2004 sitting on the outside, with rules to
> > > > allow RPC over
> > > >
> > > > > HTTP access to the Exchange FE server. I think this is all
> > > > configured
> > > > > OK.
> > > > > RPC over HTTP is working OK internally. I also have OWA
> > > > working using
> > > > > a different listener (FBA).
> > > > >
> > > > > Whenever I try to make an external RPC
> > connection it is failing.
> > > > > I'm seeing my username shown in the ISA logs, but in the
> > > > WWW logs for
> > > > > the exchange proxy server I am seeing entries with
> > > status 401.2 and
> > > > > win32 error 2148074254, so I think something is wrong
> > > with the user
> > > > > authentication.
> > > > > from the logs (with time/date and ip info removed):
> > > > >
> > > > > RPC_IN_DATA /rpc/rpcproxy.dll
> > > > > frontend.andassoc.com:6002 443 - xxx.xxx.xxx.xxx MSRPC 401 2
> > > > > 2148074254
> > > > > RPC_OUT_DATA /rpc/rpcproxy.dll
> > > > > frontend.andassoc.com:6002 443 - xxx.xxx.xxx.xxx MSRPC 401 2
> > > > > 2148074254
> > > > >
> > > > > I have the RPC listener set to use basic authentication
> > > > as well as
> > > > > the exchange IIS rpc virtual directory. The RPC listener
> > > > also has a
> > > > > certificate bearing the FQDN of the exchange front end server.
> > > > >
> > > > > Any help appreciated. This might not be an ISA issue
> > > > since I seem to
> > > >
> > > > > be reaching the internal Exchange proxy.
> > > > >
> > > > > Jeff
> > > > >
> > > > >
> > > > > ------------------------------------------------------
>
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
