Blog Archives

Outlook RPC over SSL/HTTPS works for all accounts except some…

It is not long ago that I stepped into another “everyday IT problem”…All accounts in and out work perfect with RPC over ISA configuration except 2 of them.
Those two accounts had been initialized after a copy in the AD console from other users in the same departments, having exactly the same user permissions and Exchange advanced capabilities. However those 2 accounts had something in common between them, and different from the rest at the same time.
Hide from Exchange address lists checked in Exchange Advanced tab as in the snapshot below.
This seems logical of course, if you consider the fact that the RPC infrastructure uses the Exchange address lists for passing credentials from the Active Directory to your Global Catalog/RPC proxy. Thus if you hide a user from this list…no matter much you try, how correct your certificates are, along with your Outlook clients correct configuration, you will never initiate a NEW connection to your Exchange RPC over HTTPS.
I say NEW, since if the connection is established once (with the user visible to Exchange Address lists), then you may hide the user again. However don’t take this for granted, since I survived over two controversial examples. The one worked…the other did not.
Hope this saves you some timeJ.

Cannot connect to Exchange 2003 RPC with Outlook 2007/2010

I am looking in to this problem some days now, not only on Outlook 2003 but on 2007 and 2010 as well. 
I have followed all the needed procedures found around the web but nothing. Outlook 2007 keeps asking for username/pass without going anywhere. 
The run command outlook.exe /rpcdiag shows that there is no active or actually working connection.
My solution came after doing the following:
At first on the client side:
Added the following on registry  key [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC]
12.0/11.0 for prior Outlook versions
(if no rpc key, then simply create it, right click on Outlook>new key)
“DefConnectOpts”=dword:00000000 (as colleagues mention above)
Also add the following under RPC as well
“ConnectTimeout”=dword value with hex value 000493e0
“ConnectTimeoutLow”=dword value with hex value 000493e0
“RFRTimeout”=dword value with hex value 000493e0
Secondly on the server:
On you will find the best way to resolve it….but as we ITs are on hurry all the time, we don’t usually see what “exists” right in front of our eyes.
Download the tool called RPCNoFrontEnd (19kb) mentioned on the page (mid). Execute after putting your external fqdn. This tool will make all the necessary registry changes needed on the server part and till now I have not found elsewhere. God bless the guy who wrote it, Harry Bates.
Restart your server in order the registry changes to have effect.
Test your Outlook client Exchange connection through RPC/HTTPs (/rpcdiag if you want). It will take a while in the first time but I worked for me.
Hope this helps…I’m going to sleep now, cause I have a tough day tomorrow.
PS. The best walkarounds I have got till now are the following:

PS2. Be sure that the following registry entries are made on RPC and/or GC server


Here you need to change the value of the ValidPorts key, the values should be entered in the below format:
ExchangeServer:593; ExchangeServerFQDN:593; ExchangeServer:6001-6002; ExchangeServerFQDN:6001-6002; ExchangeServer:6004; ExchangeServerFQDN:6004; GlobalCatalogServer:593; GlobalCatalogServerFQDN:593; GlobalCatalogServer:6004; GlobalCatalogServerFQDN:6004
This means if your Exchange server is named Exchange01 and your Global Catalog server is called GlobalCatalog01 and both are members of the AD domain , it should look like:
Exchange01:593;; Exchange01:6001-6002;; Exchange01:6004;; GlobalCatalog01:593;; GlobalCatalog01:6004;
Now we need to logon to the Global Catalog server (which would be the Domain Controller), here we need to add a string to the registry as well, so navigate to:
– Then click Edit in the menu > New then click Multi-String Value
– Name it “NSPI interface protocol sequences”
– Right-click the NSPI interface protocol sequences multi-string value, and then click Modify
– Type ncacn_http:6004 in the value box

Now restart the Global Catalog Server.

Mine worked! 🙂
%d bloggers like this: