In addition to what everyone else has said, if there is an issue with SSL in
Windows, you almost always get an error from schannel in the System event
log on the machine that rejected the connection that explains exactly what
the problem is (if you can figure out what it is telling you).
For example, if the problem is really an issue with the cert name not
matching the URL host name, schannel will give you an error 0x80090322,
which translates to "the target principal name is incorrect". The details
of the error will contain the certificate, which looks like a bunch of
binary crap (it is), but probably contains readable strings containing the
cert name. You can usually deduce from there.
Another thing that is often helpful with SSL issues, especially if HTTPS is
involved, is just to point IE at the same site. If IE gives you a warning,
the warning details will tell you exactly what the problem is in a
friendlier way. "Warning" in IE typically translates to "failure" when SSL
is done programmatically, as most code errs on the side of caution and
simply fails if everything isn't ok. Also, the APIs that allow you to
ignore the warnings are often not exposed anyway. For example, ADSI and
.NET S.DS don't allow you to ignore SSL/LDAP problems, but LDAP API and
System.DirectoryServices.Protocols (.NET 2.0) do. The LDAP error in this
case is just "server not operational", which isn't too helpful.
Sometimes the IE trick doesn't work because IE and the code having the
problem are executing in different security contexts/user profiles, so they
have different configurations for certificate stores and private keys, but
that should not be the issue with client code running in Outlook.
Ironically, I know that error code by heart (at least for this week) because
I had that exact problem with an LDAP app earlier this week. Apparently,
someone had created a hosts file entry on one of two servers in a load
balanced cluster that had the wrong IP address for one of our DCs.
Nevermind that DNS resolved the name just fine, suggesting that the host
file was not needed (beyond being a really bad idea in general). Luckily,
I've had so much fun with SSL on Windows over the years that I know most of
the rules by heart now. What took me an hour to troubleshoot had a medium
sized team stymied for a few weeks. :) It is in this spirit that I try to
provide as much detail here as I can.
Some other common SSL problems are cert expired, cert not yet valid and cert
cannot be trusted. Another can of worms is introduced if CRLs are checked
(which we just discussed a little while ago). A huge can of worms opens up
when client certificates are involved.
Joe K.
----- Original Message -----
From: Akomolafe, Deji
To: [email protected]
Sent: Friday, September 15, 2006 8:18 PM
Subject: RE: [ActiveDir] RPC Over HTTPS Problem....
In addition to what Robert is saying, take a look at
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true
There are many things that can be responsible for this failure, and you need
to selectively eliminate each.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From: Robert Rutherford
Sent: Fri 9/15/2006 5:52 PM
To: [email protected]
Subject: RE: [ActiveDir] RPC Over HTTPS Problem....
Hi Ravi,
The certifcate does needs to match the name of the site... i.e.
mail.comp.com . If it doesn't then it wont work. There are numerous
reasons why it fails but that is the first.
Rob
Robert Rutherford
QuoStar Solutions Limited
T: +44 (0) 8456 440 331
F: +44 (0) 8456 440 332
M: +44 (0) 7974 249 494
E: [EMAIL PROTECTED]
W: www.quostar.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 16 September 2006 01:36
To: [email protected]
Subject: Re: [ActiveDir] RPC Over HTTPS Problem....
Hi Bob,
Can you please explain how it should be. because i think i have
something wrong here related to certificate.
Thanks
Ravi Dogra
On 9/16/06, Robert Rutherford <[EMAIL PROTECTED]> wrote:
The usual issue with that is that the url u r connecting to matches
the
name on the cert.
This must match on internal and external, i.e. u must use split brain
or
you must config ur firewall to accept that connection on the WAN
interface.
Rob
Robert Rutherford
QuoStar Solutions Limited
T: +44 (0) 8456 440 331
F: +44 (0) 8456 440 332
M: +44 (0) 7974 249 494
E: [EMAIL PROTECTED]
W: www.quostar.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 16 September 2006 00:00
To: [email protected]
Subject: [ActiveDir] RPC Over HTTPS Problem....
Hi,
I am facing a weird problem here is some required information.
Frontend - Backend Structure.
Exchange with SP2 on Win2k3 SP1 on all Servers.
FE1 and BE1 is on a different site,
BE2 is on my Site.
Configured RPC Over Https on Frontend Server. OWA (SSL) is working
fine.
Now here is the situation:-
I have configured my client for RPC over Https. When client machine
tries to establish connection with my Exchange Server it prompts me
for User Name and Password.
When i am providing my credentials it is not accepting and keeps me
prompting for same.
Also while doing this when i use Ctrl + Right click on Outlook icon on
rightside of taskbar and then selecting connection it never shows me
established. It remains on Connecting and tries to connect my BE2
server where my mailbox resides.
What could be the possible reason for this? If any other information
is required please let me know.
--
Ravi Dogra
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
--
Ravi Dogra
9899647200
This e-mail, together with any attachments, is confidential. It may be
read, copied and used only by the intended recipient. If you have
received it in error, please notify the sender immediately by e-mail
or telephone. Please then delete it from your computer without making
any copies or disclosing it to any other person.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
