[isalist] Re: RPC over HTTP (Almost there...)

From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Date: Sun, 25 Jun 2006 23:52:12 +0200
Hi Tom, 
 
it is documented in
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx:
 
I am publishing remote procedure call (RPC) over HTTPand getting the error:
500Internal Server Error - The target principal name is incorrect,even
though the name in the client request matches the name of the certificate on
the ISA Server computer.
 
When you create a new Outlook profile, on the Connection tab of Exchange
Server Settings, you click Exchange Proxy Settings to specify RPC over HTTP
settings. In Use this URL to connect to my proxy server for Exchange, ensure
that you have typed the same name that appears on the certificate. Select
Mutually authenticate the session when connecting with SSL, and then in
Principal name for proxy server, again type the name that appears on the
common name of the certificate. For example, if the common name is the FQDN
used by clients to reach the site, you will type it in the form msstd:common
name. 

If this error occurs and you are using a wildcard certificate, ensure that
the Principal name for proxy server Outlook setting is defined as
msstd:*.domain.com, and not server.domain.com. 

HTH, 
Stefaan

  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: zondag 25 juni 2006 23:17
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)


You'll need to use different listeners for the RPC/HTTP Web Publishing Rule
and the other Web sites, if Outlook 2003 doesn't like wildcard certs (which
is something I didn't know about before)
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book:  <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 


  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 3:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: RPC over HTTP (Almost there...)


So if that's the case, the only thing we can publish securely via ISA 2004
is RPC over HTTP / OWA. I need to publish websites from other servers as
well.
 
-TRogers
 

  _____  

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Stefaan Pouseele
Sent: Sun 6/25/2006 11:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)


Hi Tom, 
 
Outlook 2003 does *not* support wildcard certificates for RPC over HTTPS.
So, to solve that problem either use a normal certificate or make sure you
specify '*.companyname.biz' as FQDN in the 'Principal name for proxy server'
(msstd:*.companyname.biz) in the Outlook 2003 Exchange Proxy Settings. 
 
HTH, 
Stefaan

  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Rogers
Sent: zondag 25 juni 2006 17:34
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)


 

  _____  

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Sun 6/25/2006 10:06 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: RPC over HTTP (Almost there...)


>Hi Tom,
 
>OK, 
 
> 1. What is the ACTUAL common/subject name on the Web site certificate
bound to the Web listener?
*.companyname.biz
 
>2. What is the ACTUAL common/subject name on the Exchange Web site?
owa.companyname.biz
 
>3. What is the ACTUAL name on the Public Name tab?
owa.companyname.com
 
>4. What is the ACTUAL name on the To tab?
owa.companyname.com
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book:  <http://tinyurl.com/3xqb7> http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 


  _____  

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Rogers
Sent: Sunday, June 25, 2006 12:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] RPC over HTTP (Almost there...)


I ran a filter on the ISA monitoring for the OWA rule. This is what happens
when I tried to authenticate 3 times...
 
Original Client IP Client Agent Authenticated Client Service Server Name
Referring Server Destination Host Name Transport MIME Type Object Source
Source Proxy Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Raw Payload Source Port
Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache
Information Error Information Log Record Type Log Time Destination IP
Destination Port Protocol Action Rule Client IP Client Username Source
Network Destination Network HTTP Method URL

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 312 0 326  10054  0x4000008 0xc02 Web
Proxy Filter 06/25/2006 1:21:46 AM 192.168.1.5 443 https Failed Connection
Attempt companyname OWA 74.67.214.74 anonymous External  RPC_IN_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 1933 306  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:21:49 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_IN_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 1933 307  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:21:49 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_OUT_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 15 1933 306  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:21:52 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_IN_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 0 307  10054  0x4000008 0xc02 Web Proxy
Filter 06/25/2006 1:21:52 AM 192.168.1.5 443 https Failed Connection Attempt
companyname OWA 74.67.214.74 anonymous External  RPC_OUT_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 1933 306  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:22:00 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_IN_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 1933 307  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:22:00 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_OUT_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 1933 306  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:22:03 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_IN_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 156 1933 327  401  0x44000008 0xc00 Web
Proxy Filter 06/25/2006 1:21:46 AM 192.168.1.5 443 https Allowed Connection
companyname OWA 74.67.214.74 anonymous External  RPC_OUT_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

0.0.0.0 MSRPC No Reverse Proxy SPISA  owa.companyname.biz TCP text/html
Internet - -  - Compression: client=No, server=No, cache=No, compress
rate=0% decompress rate=0% - - - 0 1 0 307  10054  0x4000008 0xc02 Web Proxy
Filter 06/25/2006 1:22:03 AM 192.168.1.5 443 https Failed Connection Attempt
companyname OWA 74.67.214.74 anonymous External  RPC_OUT_DATA
<http://owa.companyname.biz:443/rpc/rpcproxy.dll?owa.companyname.biz:6002>
http://OWA.companyname.BIZ:443/rpc/rpcproxy.dll?owa.companyname.biz:6002

-TRogers

 
  _____  

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Sat 6/24/2006 9:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] RPC over HTTP (Almost there...)


Don't
Do 
It
<period>
It's a disaster waiting to happen.
 
What's in the ISA logs for those attempts?
What's in the IIS logs for those attempts?
How did you create the OWA pub rule; manually or via the Exch publishing
weirdzard?
 
BTW, I reviewed the case logs and spoke with the engineer you worked with.
At no time was there any mention of making your Exch server a DC/GC.

  _____  

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Tom Rogers
Sent: Sat 6/24/2006 5:29 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] RPC over HTTP (Almost there...)


I think I am so close to having this work that I can taste it....anyway, my
Outlook 2003 SP2 client (on Win XP Pro SP2) keeps asking for user
credentials - I can type them in a hundred times (not that I did), but it
keeps asking for my login credentials.
 
My RPC Proxy is set for ONLY Basic Authentication also. Any ideas?
Everything is setup according to all the docs you all have sent me. The only
thing that I have not tried yet, is to make my Exch box a DC/GC. That is
next if no solution now.
 
And I know you all said this is a BAD idea (Exch box as DC/DC, but I have
seen documentation from Microsoft AND Tom Shinder's documentation (his lab
example - although he does point out it is not recommended).
 
TIA,
 
-TRogers
Follow-Ups:
- [isalist] Re: RPC over HTTP (Almost there...)
  - From: Tom Rogers
References:
- [isalist] Re: RPC over HTTP (Almost there...)
  - From: Thomas W Shinder
[isalist] Re: RPC over HTTP (Almost there...)

Other related posts:
