RE: RPC over HTTP authentication woes

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 Nov 2005 15:15:02 -0800

Unless you see different rules quoted for each, now you're troubleshooting 
Exchange... 
..

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx] 
Sent: Wednesday, November 16, 2005 15:12
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Thanks Jim, I knew 200 was a good thing, so hoped I was making some progress.

I'm running outlook with the rpcdiag switch on the client.  Upon launching, 
Outlook prompts me for credentials and I and see status of "connecting" for the 
exchange proxy and the directory in the server connection status dialog.
These disappear after a little while and I get the "your exchange server is 
unavailable" dialog.

On the proxy server logs, I'm seeing "Failed Connection Attempt" on the 
RPC_IN_DATA queries and "Allowed Connection" on the RPC_OUT_DATA URL.  

Jeff


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 5:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Er..

Result codes of "200" are success codes. 
What exactly is the client experience?
Whjat do you find in the ISA logs for those recent tests?

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 14:32
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Tom,
 
I had it set for all users.  I tried switching it to only authenticated & 
forward basic authentication and did get 200 result codes in the front end 
server WWW logs, but it is still failing.

Thanks,
Jeff
 
________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 4:50 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes


http://www.ISAserver.org

Hi Jeff,
 
Are you forcing authentication at the ISA firewall, or does the Web Publishing 
Rule allow access to "all users"?
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls 
**Who is John Galt?**

 


________________________________

        From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx] 
        Sent: Wednesday, November 16, 2005 3:42 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RPC over HTTP authentication woes
        
        
        http://www.ISAserver.org
        

        I have ISA 2004 sitting on the outside, with rules to allow RPC over 
HTTP access to the Exchange FE server.  I think this is all configured OK.
RPC over HTTP is working OK internally.  I also have OWA working using a 
different listener (FBA).

        Whenever I try to make an external RPC connection it is failing.
I'm seeing my username shown in the ISA logs, but in the WWW logs for the 
exchange proxy server  I am seeing entries with status 401.2 and win32 error 
2148074254, so I think something is wrong with the user authentication.
from the logs (with time/date and ip info removed):

        RPC_IN_DATA /rpc/rpcproxy.dll frontend.andassoc.com:6002 443 - 
xxx.xxx.xxx.xxx MSRPC 401 2 2148074254 
        RPC_OUT_DATA /rpc/rpcproxy.dll frontend.andassoc.com:6002 443 - 
xxx.xxx.xxx.xxx MSRPC 401 2 2148074254 

        I have the RPC listener set to use basic authentication as well as the 
exchange IIS rpc virtual directory.  The RPC listener also has a certificate 
bearing the FQDN of the exchange front end server.

        Any help appreciated. This might not be an ISA issue since I seem to be 
reaching the internal Exchange proxy. 

        Jeff 


        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List
as: tshinder@xxxxxxxxxxxxxxxxxx
        To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: