1

A vanilla Workgroup install of Windows Server 2008R1 and following many of available guides:

http://technet.microsoft.com/en-us/library/dd983949(v=ws.10).aspx

  1. Full Computer Name set to TSGSERVER.local, Workgroup WORKGROUP.
  2. Add roles for Remote Desktop Services and the Remote Desktop Gateway.
  3. Create self-signed certificate.
  4. Complete install.
  5. Export certificate via MMC from Local Computer/Personal/Certificates.
  6. Import certificate via MMC to Local Computer/Trusted Root Certification Authorities.
  7. Test with rpcping on command line:
    rpcping -v 3
            -e 3388
            -t ncacn_http
            -s localhost
            -o RpcProxy=TSGSERVER.local
            -P "Administrator,WORKGROUP,Password1"
            -H NTLM -u NTLM
            -a connect
            -F ssl
            -B msstd:TSGSERVER.local
            -E
            -R None

Parameters taken from http://technet.microsoft.com/en-us/library/cc772486(v=ws.10).aspx

And the RPC fails:

RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
 Since you have specified the RPC/HTTP proxy echo only option (-E), the endpoint
/interface you have specified will be ignored as no calls will reach the RPC/HTT
P server
 RPCPing set Activity ID:  {0c934a78-201c-40a3-82e8-9700bd928be6}
 RPCPinging proxy server tsgserver.local with Echo Request Packet
 Setting autologon policy to high
 Sending ping to server
 Response from server received: 401
 Use Server Preffered Auth Scheme: 2
 Setting autologon policy to high
 Sending ping to server
 Response from server received: 401
 Client is not authorized to ping RPC proxy
 Ping failed

With the IIS log files being similarly informative:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-08-28 18:01:02
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2013-08-28 18:01:02 192.168.1.1 RPC_IN_DATA /Rpc/rpcproxy.dll - 443 - 192.168.1.1 MSRPC 401 2 5 514
2013-08-28 18:01:02 192.168.1.1 RPC_IN_DATA /Rpc/rpcproxy.dll - 443 - 192.168.1.1 MSRPC 401 2 5 0

What steps am I missing?

Without installing as a CA one naturally gets a certificate error:

RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
 Since you have specified the RPC/HTTP proxy echo only option (-E), the endpoint
/interface you have specified will be ignored as no calls will reach the RPC/HTT
P server
 RPCPing set Activity ID:  {b8fc4006-a3e8-4b9f-aa18-e1b951c7fe9a}
 RPCPinging proxy server TSGSERVER.local with Echo Request Packet
 Setting autologon policy to high
 Sending ping to server
 Error 12175 : A security error occurred
 returned in WinHttpSendRequest
 Ping failed

This is documented in KB 831051:

The PRC Ping Utility test may have failed because the certificate is not trusted or because it does not trust the certificate and root authority. The server certificate subject from the RPC Proxy server does not match the one that is specified by -B.

Steve-o
  • 839
  • 6
  • 12

0 Answers0