Categories: Microsoft

Exchange RPC over HTTP problem with TMG

Issue:

When you try to setup your Outlook with Exchange account, you get the below issue.

Note:

  • In this scenario I’m using windows signed certificate for exchange but I have the CA installed on Client side.
  • Client is not joined to the domain.
  • Client is not on VPN.

Symptoms:

Outlook 2010/2013 keeps prompting you for credentials even though you entered them correctly several times.

And when cancelling you receive that “The action couldn’t be completed. The connection to Exchange is unavailable”.

Investigation:

Let’s test our autodiscover and see what’s wrong.

I will first go to www.testexchangeconnectivity.com and test the autodiscover

Now testing Autodiscover have resulted positively.

There’s no need to test RPC over HTTP when using a windows/self-signed certificate as it won’t result positive anyway

Next let’s check TMG’s configuration.

Every rule that involves RPC should be checked in order to make sure that your Publishing configuration is correct.

RPC Server should be pointing internally to your Exchange server and externally to your mail.domain.com External IP Address.

Although when you use TMG’s wizard to publish Exchange TMG does everything for you but still you need to check if it’s the right configuration.

This is my autodiscover rule configuration’s paths and RPC is also included there.

Testing rule seems to result positive for all the published paths.

Let’s try testing the following link and see if it authenticate. The RPCproxy is required for outlook clients to be configured properly

Outlook client tries to connect to the below link after finding the autodiscover settings

https://autodiscover.demotesas.com/rpc/rpcproxy.dll

If you type your credentials, it most likely won’t connect and will keep prompting or will probably say that request is invalid!

Resolution:

What if we changed the RPC path from autodiscover to mail.demotesas.com? The authentication method might be the problem in this case as I am using a total different authentication methods for the mail and for autodiscover rules.

Once we publish the rule, we will have to check the result of the following link

https://mail.demotesas.com/rpc/rpcproxy.dll

The site will mostly be accessed without any issues.

Now we can test our Outlook client setup and see if it will go well without any issues!

The problem was related to the RPCproxy.dll was not being set on the right rule and on the appropriate domain.

It should be on the mail.domain.com with the same authentication delegation.

moh10ly

Leave a Comment
Share
Published by
moh10ly
4 years ago

Recent Posts

Reset passwords for Active Directory Users

Reset and manage your Active Directory users' Passwords Active Directory is one of the most…

1 year ago

Finding Exchange Database hidden mailboxes. ​

Finding Exchange Database hidden mailboxes. Story:Maybe you have been in this situation before, trying to…

1 year ago

Setting up ADConnect and PTA (Password auth through) servers agents behind proxy

If you're using a Proxy server in your firewall or in your network and have…

1 year ago

Get Report of Active Directory Locked Accounts and Machine they logged in from

Story:I got some clients  that have reported some of their users being locked out and…

1 year ago

Checking and Providing Full and SendAs delegate access on O365 Exchange Online

Delegate Permissions This is a code that I have wrote recently to check if an…

1 year ago

Retrieving attachments from Exchange mailbox using python

Story: I got a request from a client who constantly gets CVs and have to…

2 years ago