RE: RPC over HTTP authentication woes

  • From: "Bunting, Jeff" <BUNTING@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 17 Nov 2005 15:27:11 -0500

I'm seeing 200's in the W3SVC1 logs on the Exchange front end server. 

On the ISA server logs I see two "initated connection" HTTPS entries from
ISA to FE.

These are immediately followed by the "allowed connection" (RPC_OUT_DATA)
and "failed connection" (RPC_IN_DATA) attempt log entries from my "RPC over
HTTP" rule.

Finally, two "Closed connection" entries for the HTTPS connections.

Then the whole thing repeats as it tries to connect again.

I'm thinking something is still screwed up with my ISA configuration; RPC
over HTTP is working internally.

Jeff

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, November 17, 2005 11:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

..maybe - it depends on the error code. 
If you're seeing "200", then it's coming from the Exch server.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Thursday, November 17, 2005 07:50
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

same rule; is the data in the error code information column on the ISA logs
the value it is getting back from rpcproxy.dll? 



-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 6:15 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Unless you see different rules quoted for each, now you're troubleshooting
Exchange... 
..

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 15:12
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Thanks Jim, I knew 200 was a good thing, so hoped I was making some
progress.

I'm running outlook with the rpcdiag switch on the client.  Upon launching,
Outlook prompts me for credentials and I and see status of "connecting" for
the exchange proxy and the directory in the server connection status dialog.
These disappear after a little while and I get the "your exchange server is
unavailable" dialog.

On the proxy server logs, I'm seeing "Failed Connection Attempt" on the
RPC_IN_DATA queries and "Allowed Connection" on the RPC_OUT_DATA URL.  

Jeff


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 5:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Er..

Result codes of "200" are success codes. 
What exactly is the client experience?
Whjat do you find in the ISA logs for those recent tests?

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 14:32
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes

http://www.ISAserver.org

Tom,
 
I had it set for all users.  I tried switching it to only authenticated &
forward basic authentication and did get 200 result codes in the front end
server WWW logs, but it is still failing.

Thanks,
Jeff
 
________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, November 16, 2005 4:50 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RPC over HTTP authentication woes


http://www.ISAserver.org

Hi Jeff,
 
Are you forcing authentication at the ISA firewall, or does the Web
Publishing Rule allow access to "all users"?
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
Firewalls **Who is John Galt?**

 


________________________________

        From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx] 
        Sent: Wednesday, November 16, 2005 3:42 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RPC over HTTP authentication woes
        
        
        http://www.ISAserver.org
        

        I have ISA 2004 sitting on the outside, with rules to allow RPC over
HTTP access to the Exchange FE server.  I think this is all configured OK.
RPC over HTTP is working OK internally.  I also have OWA working using a
different listener (FBA).

        Whenever I try to make an external RPC connection it is failing.
I'm seeing my username shown in the ISA logs, but in the WWW logs for the
exchange proxy server  I am seeing entries with status 401.2 and win32 error
2148074254, so I think something is wrong with the user authentication.
from the logs (with time/date and ip info removed):

        RPC_IN_DATA /rpc/rpcproxy.dll frontend.andassoc.com:6002 443 -
xxx.xxx.xxx.xxx MSRPC 401 2 2148074254 
        RPC_OUT_DATA /rpc/rpcproxy.dll frontend.andassoc.com:6002 443 -
xxx.xxx.xxx.xxx MSRPC 401 2 2148074254 

        I have the RPC listener set to use basic authentication as well as
the exchange IIS rpc virtual directory.  The RPC listener also has a
certificate bearing the FQDN of the exchange front end server.

        Any help appreciated. This might not be an ISA issue since I seem to
be reaching the internal Exchange proxy. 

        Jeff 


        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List
as: tshinder@xxxxxxxxxxxxxxxxxx
        To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 11-2005