` Contents Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Introducing RPC over HTTP Pre-Requisites for RPC/HTTP RPC over HTTP Setup Using RpcHttp_Setup.vbs 10 The RPC Virtual Directory in IIS 16 Troubleshooting Server Configuration 18 Client Registry Keys 19 Troubleshooting Client-Server Connectivity 21 Certificates and client problems 27 Troubleshooting with RPCPing 28 Lab 2.1: Troubleshooting RPC over HTTP 33 Appendix A - RPCPing 35 Appendix B – Registry Values 38 Appendix C – Useful Weblinks 39 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2003 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, Microsoft® Exchange Server 2003, Microsoft® Internet Explorer, Microsoft® Internet Security and Acceleration Server, Microsoft® Internet Server Application Programming Interface, Microsoft® Outlook® 2003, Microsoft® Proxy Server, Microsoft® Windows® 2000, Microsoft® Windows® 2003, Microsoft® Windows® Management Instrumentation, and Microsoft® Windows® XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Introducing RPC over HTTP RPC over HTTP enables client programs to use the Internet to execute procedures provided by server programs on distant networks RPC over HTTP tunnels its calls through an established HTTP port Thus, its calls can cross network firewalls on both the client and server networks RPC over HTTP routes its calls to the RPCProxy located on the RPC server's network The RPCProxy establishes and maintains a connection to the RPC server It serves as a proxy, dispatching remote procedure calls to the RPC server and sending the server's replies back across the Internet to the client application This process is illustrated in the following diagram Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP The diagram shows a firewall on the client application's network This is not required for RPC over HTTP to operate However, if the client network does have a firewall, it will also need a proxy server program such as Microsoft® Proxy Server When the client program issues a remote procedure call using HTTP as the transport, the RPC run-time library on the client contacts the RPCProxy Depending on whether the RPC client was asked to use HTTP or HTTPS (HTTP with Secure Sockets Layer [SSL]) port 80 or port 443 is used, respectively The RPCProxy contacts the RPC server program and establishes a TCP/IP connection The client and the RPCProxy maintain their HTTP or HTTPS connection across the Internet The client's HTTP or HTTPS connection to the RPCProxy can pass through a firewall (subject to appropriate access permissions) if one is present The server can then execute the remote procedure call and use the connection through the RPCProxy to reply to the client The RPCProxy is a Microsoft® Internet Server Application Programming Interface (ISAPI) extension running in the context of Microsoft Internet Information Services (IIS) If either the client or the server disconnects for any reason, the RPCProxy will detect it and end the RPC session As long as the session continues, the RPCProxy will maintain its connections to the client and the server It will forward remote procedure calls from the client to the server, and send replies from the server to the client The RPC client program can tunnel its RPC calls through the Internet by creating a string binding of the form: Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP [object_uuid@]ncacn_http:rpc_server[endpoint,HttpProxy=proxy_s erver:http_port,’rpcproxy’=rpc_proxy:rpc_port] Where: object_uuid specifies an RPC object UUID For more information, see Generating Interface UUIDs and String UUID ncacn_http selects the protocol sequence specification for RPC over HTTP For more information, see Protocol Sequence Constants and String Binding rpc_server is the network address of the computer that is executing the RPC server process The server address must be specified in a form visible and understandable by the RPCProxy computer, not by the client Since the client does not connect directly to the server, it does not need to be able to resolve the name of the server, or establish a connection to it The RPCProxy will establish the connection on the client’s behalf, and therefore, rpc_server must be a name recognizable by the RPCProxy endpoint specifies the TCP/IP port that the RPC server process listens to for remote procedure calls For more information, see Finding Endpoints HttpProxy optionally specifies an HTTP proxy server on the RPC client's network, such as Microsoft Proxy Server If a proxy server is selected, no port number is specified, the RPC stub uses port 80 by default if SSL is not requested, and port 443 if SSL is specified RPCProxy specifies the address and port number of the IIS computer that acts as a proxy to the RPC server You only need to specify this if the RPC server process resides on a different computer than the RPCProxy If you not specify a port number, the RPC client stub by default uses port 80 if SSL is not specified, and uses port 443 is SSL (HTTPS) is specified For more information on creating string bindings, see Binding and Handles The RPC server program can accept tunneled RPC calls by listening on the ncacn_http protocol sequence Versions Microsoft has two major implementations of RPC over HTTP: Version and Version Version (called RPC over HTTP v1) is supported through Microsoft® Windows® XP Version of the RPCProxy is supported through Microsoft® Windows® 2000 Version (called RPC over HTTP v2) is the current version The two versions have different capabilities and limited interoperability A summary of the differences is provided here For interoperability considerations, see System Requirements and Interoperability for RPC over HTTP RPC over HTTP v1 requires SSL Tunneling to be enabled on all HTTP proxies/firewalls between the RPC over HTTP client and the RPCProxy RPC over HTTP v2 has no such requirement RPC over HTTP v1 cannot establish an SSL session to the RPCProxy The RPC over HTTP v2 can send all RPC over HTTP traffic within an SSL session; by default v2 requires the data be sent within an SSL session Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP RPC over HTTP v1 cannot authenticate to the RPCProxy RPC over HTTP v2 can authenticate; by default v2 requires authentication to the RPCProxy RPCProxy v1 does not operate correctly when the IIS machine on which it is installed is part of a web farm RPCProxy v2 operates properly when the IIS machine on which it is installed is part of a web farm Note If Microsoft® Internet Explorer is installed on the client program's computer and your client does not specify an HttpProxy in its string binding, the RPC client stub will search the registry on the client computer for an HttpProxy entry If it finds one, it will use the proxy specified in the registry entry Suppose, for instance, your client program needs to connect across the Internet to an RPC server on a computer called Server7.microsoft.com Further, suppose that the RPCProxy runs on Major7.microsoft.com The RPC server program listens to port 2225 Your client would use the string binding: ncacn_http:Server7.microsoft.com[2225, ‘rpcproxy’=Major7.microsoft.com] If the RPCProxy can resolve the server name as Server7, without requiring a fully qualified domain name, you can also specify: ncacn_http:Server7 [2225, ‘rpcproxy’=Major7.microsoft.com] If the client network uses a firewall and an Internet proxy server called myproxy, and Internet Explorer on the client is not configured to use that proxy, you would need to modify the client's string binding to: ncacn_http:Server7.microsoft.com[,HttpProxy=myproxy:80,’rpcpro xy’=Major7.microsoft.com:80] This directs the client to connect to the RPC server program on Server7.microsoft.com To this, the client will first use port 80 (or port 443 if SSL is used) to connect to myproxy This will give the client program access to the Internet Using the Internet, the client program next connects to the RPCProxy on Major7.microsoft.com The RPCProxy will establish a connection to the RPC server program running on Server7.microsoft.com The vast majority of computers today are configured for Web browsing Therefore, most clients not need to specify the HttpProxy, because it will be pulled from Internet connectivity settings The following subjects will be examined as well as methods to successfully determine the fault(s) if it does not work as expected Prerequisites required for successful deployment Installation and configuration of the RPCProxy Server Service Configuration of the Exchange 2003 Server components Deploying RPC over HTTP with Microsoft® Internet Security and Acceleration Server (ISA) Server Using RPCPing to identify source of the problem(s) Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Pre-Requisites for RPC/HTTP Client-side Microsoft® Outlook® 2003 Windows XP with Service Pack + Q331320 RPC over HTTP requires the QFE referenced in Q331320 installed on the client workstation This fix will be included in Windows XP SERVICE PACK Ensure %windir%\system32\RPCRT4.DLL is 5.1.2600.1142 or above This and later builds addresses an apparent delay in the client This problem is more noticeable when connecting via a slow network link and the "Bypass proxy server for local addresses" check box is selected in the Microsoft Internet Explorer options and the HTTP connection to Microsoft® Exchange Server 2003 can be made through the HTTP proxy server on the network to which you are connected Outlook 2003 has issued a local RPC call that is waiting for a remote RPC call to complete Note After installing the fix the client will need to be rebooted Server-side Exchange 2003 on Microsoft® Windows® 2003 for FE (if FE is deployed) Exchange 2003 on Windows 2003 for BE Exchange 2003 on Windows 2003 for Public Folders Exchange 2003 on Windows 2003 for System Folders Windows 2003 for global catalog server(s) Windows 2003 for RPCProxy Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP The NSPI interface protocol sequences parameter needs to be added to the registry on ALL Windows 2003 global catalogs This is a manual entry not configured by RpcHttp_Setup.vbs; the contents of the correct reg file are included in Appendix B Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP RPC over HTTP Setup Exchange Server Registry The RPCProxy server, the server with the RPCProxy protocol installed, must be a Windows 2003 server However, it does not have to have any Exchange components installed Many will choose to have their front-end servers act as the RPCProxy server because this will eliminate hardware and administrative costs The RPCProxy protocol will work installed on an ISA server as well Exchange 2003 server adds the following registry entries to every Windows 2003 server on which it is installed These registry entries determine the ports that RPCProxy will use The installation sets a fixed port for the protocol and this reduces security risks with regard to TCP port control HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang eIS\ParametersSystem Parameter: Rpc/HTTP Port Type: REG_DWORD Value: 0x1771 (Decimal: 6001) And then for the System Attendant: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchang eSA\Parameters Parameter: Rpc/HTTP NSPI Port Type: REG_DWORD Value: 0x1774 (Decimal: 6004) Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 25 From the above illustration, an incorrect URL is entered; https://’rpcproxy’.mycompanycom It should be: https://’rpcproxy’.mycompany.com If https://’rpcproxy’.mycompanycom was entered into Internet Explorer a 11004 error would be displayed in the Window as follows: 26 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP If we were to enter the correct URL for the RPCProxy Server, then a HTTP Error 403.2 should be displayed: This is a positive sign as we know that IIS on the RPCProxy Server is functioning and that the RPC Virtual Directory is being accessed IIS is stating that you don’t have read permissions against the virtual directory, but are in fact trying to access it It is important that we see the HTTP Error 403.2 from the same client that we are trying to connect Outlook 2003 to Exchange 2003 via the RPCProxy server It is quite hard to distinguish a machine without a Web Server installed from a machine that is down or non-existent Fortunately, the presence or absence of a Web Server can be easily established by checking the configuration on the server, so usually this step is not problematic Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 27 Certificates and client problems Configuring and publishing Certificates to servers is out of the scope of this document See the following article for more information: http://support.microsoft.com/?id=281106 However, the following points must be taken on board In order for the client machine to successfully use SSL, the client’s certificate must be validated This step is only needed when the RPC/HTTP client has requested an SSL/ Transport Layer Security (TLS) connection to the RPCProxy However, note that using SSL/TLS for RPC/HTTP is a recommended security practice and it is likely that most applications will ask RPC/HTTP to perform this step In order for this step to succeed, the server must send a valid, not expired certificate issued by a trusted certification authority In RPC/HTTP, we have two most common ways that this step fails – the RPC/HTTP client does not recognize the certification authority that issues the certificate or it does not recognize the certificate itself Both causes exhibit a common symptom, when you run RPCPing against the RPCProxy server you will see error 12175 (ERROR_WINHTTP_SECURE_FAILURE) If you were to point IE to an Https resource on this server, you will get a some what more verbose information Note that since the SSL connection happens before any resource is retrieved, you can check the validity of the server certificate by browsing any virtual directory 28 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Troubleshooting with RPCPing Pinging just the Backend Server (note the “–E –R none” is not required) rpcping -t ncacn_http -s Exchsrvr -o RPCProxy=RPCProxyServer -P "user,domain,password" -I "user,domain,password" -H -u 10 -a connect -F v3 RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present Completed calls in 610 ms T/S or 610.000 ms/T Pinging the Store Endpoint rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -I "user,domain,password" -H -u 10 -a connect -F v -f a4f1db00-ca47-1067-b31f-00dd010662da,0 RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present Trying to resolve interface A4F1DB00-CA47-1067-B31F0DD1662DA, Version: 0.0 Completed calls in 190 ms T/S or 190.000 ms/T Further troubleshooting: Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Error “Exception (0x00000005)”: 29 RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present Exception (0x00000005) rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -I "user,domain,password" -H -u 10 -a connect -F -v We get this error when the –I (alternative identity) has incorrect password credentials The same error is true when we prompt (*) for a password e.g.: “user,domain,*” Error “RpcBindingSetAuthInfo ExA failed - 14 (0000000e): RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present RpcBindingSetAuthInfoExA failed - 14 (0000000e) rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,Domain,password" -I "user,domain,password" -H -u 10 -a connect -F -v -f a4f1db00-ca47-1067-b31f-00dd010662da,0 We get this error when the –P Auth identity does not include a password Using RPCPing from the same domain with SSL enabled By same domain I mean running RPCPing on a client that is currently in the same domain as the RPCProxy server Note We are not using the –I option Pinging just the RPCProxy Server (-E –R none) rpcping -t ncacn_http -s ExchServer -o RPCProxy= RPCProxyServer -P "user,domain,password" -H -u 10 -a connect -F -v -E -R none RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.2 RPCPinging proxy server ExchServer with Echo Request Packet Sending ping to server Response from server received: 200 Pinging successfully completed in 501 ms Pinging just the Backend Server (note the “–E –R none” is not required) rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -H -u 10 -a connect -F -v RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.2 Completed calls in 560 ms T/S or 560.000 ms/T 30 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Pinging the Store Endpoint rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -H -u 10 -a connect -F -v -f a4f1db00-ca47-1067b31f-00dd010662da,0 RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.2 Trying to resolve interface A4F1DB00-CA47-1067-B31F0DD1662DA, Version: 0.0 Completed calls in 151 ms T/S or 151.000 ms/T Troubleshooting any errors: All of the following errors have been because of incorrect passwords being entered into the command line Error: RpcEpResolveBinding failed - (00000005) rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -H -u 10 -a connect -F -v -f a4f1db00-ca471067-b31f-00dd010662da,0 RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.2 Trying to resolve interface A4F1DB00-CA47-1067-B31F0DD1662DA, Version: 0.0 RpcEpResolveBinding failed - (00000005) Error: Exception (0x00000005) rpcping -t ncacn_http -s ExchServer-o RPCProxy=RPCProxyServer -P "user,domain,password" -H -u 10 -a connect -F -v RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.2 Exception (0x00000005) Error: Response from server received: 401 rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -H -u 10 -a connect -F -v -E -R none RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.2 RPCPinging proxy server Bajlab03 with Echo Request Packet Sending ping to server Response from server received: 401 Client is not authorized to ping ‘rpcproxy’ Ping failed Further Client Settings: In order to make sure that OL uses HTTP as the preferred connection it is possible to add the following registry key on the client to prevent RPC fallback: Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 31 HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\RPC Add the DWORD: DisableRpcTcpFallBack and set the value to Using RPCPing from a different domain without SSL enabled It is very unlikely that customers will be using RPC/HTTP over the Internet without having SSL configured When Exchange 2003 server is first installed the RPC/HTTP proxy and FE server are required to use SSL If after exhaustive troubleshooting with SSL enabled, Netmon traces along with the EMSMDB32.dll trace information are required, it is possible to disable the SSL requirement Using RPCPing from a different domain with SSL enabled Note the difference in the values for the -H and -F variables -H Controls Basic or NTLM authentication, = basic, = ntlm -F Controls using SSL or non SSL, = nonssl, = ssl Pinging just the RPCProxy Server (-E –R none) rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,*" -I "user,domain,*" -H -u 10 -a connect -F -v -E -R none RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present Enter password for server: Enter password for RPC/HTTP proxy: RPCPinging proxy server ExchServer with Echo Request Packet Sending ping to server Response from server received: 200 Pinging successfully completed in 431 ms You can also use the following command line so credentials are passed through automatically: rpcping -t ncacn_http -s ExchServer -o RPCProxy=RPCProxyServer -P "user,domain,password" -I "user,domain,password" -H -u 10 -a connect -F v -E -R none RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present RPCPinging proxy server ExchServer with Echo Request Packet Sending ping to server Response from server received: 200 Pinging successfully completed in 461 ms If any of the credentials are incorrect we get the following error: 32 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP RPCPing v2.12 Copyright (C) Microsoft Corporation, 2002 OS Version is: 5.1, Service Pack 1, QFE Q331320 present RPCPinging proxy server ExchServer with Echo Request Packet Sending ping to server Response from server received: 401 Client is not authorized to ping ‘rpcproxy’ Ping failed Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 33 Lab 2.1: Troubleshooting RPC over HTTP Instructor: Default document for Rpc virtual directory in IIS has been disabled; IIS – Web Sites - Default Web Site - Rpc – Properties – Documents All authentication methods have been removed from the Rpc virtual directory; Directory Security – Authentication and access control IIS Configuration mapping to point to other than %windir%\system32\rpcproxy No certificate is installed on the Default Web Server Open browser on mbx-fe Browse to http://allnone/certsrv Select to make and new certificate Choose 512kb key Use FQDN of RPCProxy server (mbx-fe) RPCPing will fail until the browser has had the root certificate added to the local certificate store in the Trusted Root Authorities in IIS Exercise This lab may require more than the basic installation and/or configuration of the various components that make RPC over HTTP work Some default capabilities of the server have been broken and you will need to restore basic functionality to complete the lab However, there is nothing broken that is not covered in this document Verify that all necessary files and directories required for RPC over HTTP exist Verify and/or configure IIS to support RPC over HTTP Use RPCPing to confirm your server will support RPC over HTTP Configure Outlook 2003 client to connect to administrator mailbox 34 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 35 Appendix A - RPCPing RPCPing Command Line Help Usage: rpcping [-t ] [-s ] [-e | -f [,MajorVer]] [-u ] [-a ] [-i ] [-l [-p]] [-r ] [-v ] [-N ] [-I ] [-C ] [-T ] [-M ] [-S ] [-P ] [-F ] [-H ] [-o ] [-B ] [-b] [-E] [-q] This command pings a server using RPC Options are: -t - protocol sequence to use Can be on of the standard RPC protocol sequences - ncacn_ip_tcp, ncacn_np, ncacn_http, etc If not specified, default is ncacn_ip_tcp -s - the server address If not specified, the local machine will be pinged E.g server, server.com, 157.59.244.141 -e - the endpoint to ping If none is specified, the endpoint mapper on the target machine will be pinged This option is mutually exclusive with the interface (-f) option -o - the binding options for the RPC ping See the MSDN for more details (RpcStringBindingCompose and RPC over HTTP) -f [,MajorVer] - the interface to ping This option is mutually exclusive with the endpoint option The interface is specified as a UUID If the MajorVer is not specified, version of the interface will be sought When interface is specified, RPCPing will query the endpoint mapper on the target machine to retrieve the endpoint for the specified interface The endpoint mapper will be queried using the options specified in the command line -u - the security package (security provider) RPC will use to make the call The security package is identified as a number The same number as in the RpcBindingSetAuthInfoEx is used Negotiate is 9, NTLM is 10, SChannel is 14 and Kerberos is 16 If you specify this option you must specify authentication level other than none There is no default for this option If it is not specified, RPC will not use security for the ping 36 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP -a - the authentication level to use Possible values are connect, call, pkt, integrity and privacy If this option is specified, the security package id (-u) must also be specified There is no default for this option If this option is not specified, RPC will not use security for the ping -i - number of calls to make The default is This option is useful for measuring connection latency if multiple iterations are specified -l - if specified, all output will be redirected to a log file Useful for batch processing and remote troubleshooting If this option is not specified, output goes to the console window -p - if specified, the output from RPCPing is appended to the log file If not specified, the output from RPCPing replaces the current contents of the log file This option is valid only when the -l option is used -r - if multiple iterations are specified, this option will make RPCPing display current execution statistics periodically instead after the last call The report interval is given in seconds Default is 15 -v - tells RPCPing how verbose to make the output Default value is and provide more output from RPCPing -N - specifies a server principal name Same semantics as the ServerPrincName argument to RpcBindingSetAuthInfoEx See the MSDN for more information on RpcBidningSetAuthInfoEx This field can be used only when authentication level and security package are selected -I - allows you to specify alternative identity to connect to the server The identity is in the form user,domain,password where the three fields have the obvious meaning If the user name, domain, or password have special characters that can be interpreted by the shell, be sure to enclose the identity in double quotes You can specify * instead of the password and RPC will prompt you to enter the password without echoing it on the screen If this field is not specified, the identity of the logged on user will be used This field can be used only when authentication level and security package are selected -C - a hex bitmask of flags It has the same meaning as the Capabilities field in the RPC_SECURITY_QOS structure described in the MSDN This field can be used only when authentication level and security package are selected -T - can be static or dynamic If not specified, dynamic is the default This field can be used only when authentication level and security package are selected -M - can be anonymous, identify, impersonate, or delegate The default is impersonate This field can be used only when authentication level and security package are selected -S - the expected SID of the server For more information see the Sid field in the RPC_SECURITY_QOS structure in the MSDN Using this option requires Windows NET Server 2003 or higher This field can be used only when authentication level and security package are selected -P - specifies the identity to authenticate with to the RPC/HTTP proxy This has the same format as for the -I option See software requirements at the end Also, you must specify security package (-u), authentication level (-a), and authentication schemes (-H) in order to use this option Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 37 -F - the flags to pass for RPC/HTTP front end authentication For more information, see the Flags field in RPC_HTTP_TRANSPORT_CREDENTIALS See software requirements at the end Also, you must specify security package (-u) and authentication level (-a) in order to use this option -H - the authentication schemes to use for RPC/HTTP front end authentication This option is a list of numerical values separated by comma e.g 1,2 The values are the same as defined in the RPC headers - Basic is 1, NTLM is See software requirements at the end Also, you must specify security package (-u) and authentication level (-a) in order to use this option -B - the server certificate subject For more information, see the ServerCertificateSubject field in the RPC_HTTP_TRANSPORT_CREDENTIALS structure in the MSDN You must use SSL for this option to work See software requirements at the end Also, you must specify security package (-u) and authentication level (-a) in order to use this option -b - retrieves the server certificate subject from the certificate sent by the server and prints it to a screen or a log file Valid only when the Proxy Echo only option (-E) and the use SSL options are specified See software requirements at the end Also, you must specify security package (-u) and authentication level (a) in order to use this option -R - specifies the HTTP proxy if it's 'none', we will not use HTTP proxy but directly attempt the RPCProxy The value 'default' means to use the IE settings in your client machine Any other value will be treated as the explicit HTTP proxy If you don't specify this flag, the default value is assumed, that is, the IE settings are checked This flag is valid only when the -E (Echo Only) flag is enabled See software requirements at the end for more information -E - restricts the ping to the RPC/HTTP proxy only The ping does not reach the server This is useful when trying to establish whether the RPC/HTTP proxy is reachable See software requirements at the end Also, you must specify security package (-u) and authentication level (-a) in order to use this option To specify an HTTP proxy, use the -R flag If an HTTP proxy is specified in the -o flag, this option will be ignored -q - quiet mode Does not issue any prompts except for passwords This assumes a 'Y' response to all queries Use this option with care Software requirements: The -P, -F, -H, -B, -b, -R, -E options require Windows Server 2003, Windows XP Service Pack2 or Windows XP Service Pack with Q331320 Example: Find out if your Exchange server that you connect through RPC/HTTP is accessible: rpcping -t ncacn_http -s exchange_server -o ‘rpcproxy’=front_end_proxy -P "username,domain,*" -H -u 10 -a connect -F The other parameters will ask RPCPing to ping your Exchange server in exactly the same way as Outlook will connect to it for the typical profile 38 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Appendix B – Registry Values Exchange Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan geIS\ParametersSystem] "Rpc/HTTP Port"=dword:00001771 "HTTP Port"=dword:00001772 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan geSA\Parameters] "Rpc/HTTP NSPI Port"=dword:00001774 Global Catalog Windows Registry Editor Version 5.00 [HKLM\CurrentControlSet\Services\NTDS\Parameters] "NSPI interface protocol sequences"= hex(7):6e,00,63,00,61,00,63,00,6e,00,5f,00,68,00,74,\ 00,74,00,70,00,3a,00,36,00,30,00,30,00,34,00,00,00,00,00 RpcHttpProxy Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\’rpcproxy’] "Enabled"=dword:00000001 "ValidPorts"="Back-End:593;Back-End.concsi.lab:593;BackEnd:6001;Back-End.concsi.lab:6001;Back-End:6002;BackEnd.concsi.lab:6002;Back-End:6004;BackEnd.concsi.lab:6004;GC:593;GC.concsi.lab:593;GC:6004;GC.concsi lab:6004" Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 39 Appendix C – Useful Weblinks Remote Procedure Calls Using RPC over HTTP http://msdn.microsoft.com/library/default.asp?url=/library/enus/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp The Registry Keys http://msdn.microsoft.com/library/default.asp?url=/library/enus/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp ... communication to and from this socket Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 17 18 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Troubleshooting Server Configuration... connect to administrator mailbox 34 Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 35 Appendix A - RPCPing RPCPing... "ValidPorts"="Back-End:593;Back-End.concsi.lab:593;BackEnd:6001;Back-End.concsi.lab:6001;Back-End:6002;BackEnd.concsi.lab:6002;Back-End:6004;BackEnd.concsi.lab:6004;GC:593;GC.concsi.lab:593;GC:6004;GC.concsi lab:6004" Module 2: Troubleshooting Remote Procedure Call (RPC) Over HTTP 39 Appendix C – Useful Weblinks Remote Procedure Calls Using RPC over HTTP http://msdn.microsoft.com/library/default.asp?url=/library/enus/rpc/rpc /remote_ procedure_ calls_using_rpc _over_ http. asp