Matthijs's blog

Virtualization tools and stuff. By Matthijs ten Seldam

VMRCplus and authentication

VMRCplus and authentication

  • Comments 12
  • Likes

VMRCplus has no support for alternate credentials. This means that in order to manage a Virtual Server remotely, both the machine with VMRCplus and the Virtual Server host must be in the same forest. You may wonder why VMRCplus does not support alternate credentials. Both the VMRC client and the Virtual Server Administration Website support this. Or do they only seem to support this?

The VMRC client is the standalone client which comes with Virtual Server. It is used to connect to the VMRC Server port, configured on the Virtual Server host. By default, the VMRC Server uses TCP port 5900.
When connecting using VMRC client, it connects using the single TCP port to the Virtual Server VMRC service. Authentication is built-in with the VMRC server; if authentication is required the server responds to the VMRC client with an authentication request which results in an authentication dialog to the user.
VMRCplus does not communicate using the VMRC port. This is sometimes misunderstood. VMRCplus only uses the VMRC port when opening remote control sessions in the Console Manager. That is where the VMRC port is being used.

The Virtual Server Administration Website (vswebapp.exe) is a web application hosted on Internet Information Services (IIS). In a default configuration, IIS is installed on the Virtual Server host and vswebapp.exe is installed on IIS. When connecting from a remote client using Internet Explorer (IE) you communicate with the web application (vswebapp.exe). If authentication is required, IE shows an authentication dialog which is the result of the web application os IIS. Basically you authenticate to IIS using alternate credentials if integrated logon fails. Important to understand that up to this point, Virtual Server has not been involved in authentication. Only after authentication has been performed, vswebapp.exe uses these credentials to 'connect' to Virtual Server. If that fails, it fails. So Virtual Server expects proper credentials and if not provided, access is denied.
Vswebappe.exe accesses Virtual Server using COM in this scenario because vswebapp.exe is local to the Virtual Server host. However the Virtual Server COM object has no support for alternate credentials.
VMRCplus can be compared in this scenario when installed locally on the Virtual Server host. If your current credentials are sufficient, you get access according to your privileges. If not, you simply get an access denied message ('... server does not exist or insufficient privileges...").

When VMRCplus is used in a remote scenario it uses DCOM to access Virtual Server. As mentioned before, Virtual Server does not support alternate credentials. Also in this scenario, your authentication is performed implicitly and only succeeds when both the VMRCplus machine and remote Virtual Server host are in the same forest.

An additional requirement exists in the remote scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host. If this requirement is unacceptable for you, you must use VMRCplus locally on the Virtual Server host. You can offer the VMRCplus user RDP to the Virtual Server host and limit its privileges on the host. VMRCplus has been designed for RDP usage.

 

Comments
  • For those of you running Microsoft Virtual Server , we have a new treat in store for you. Originally

  • Will you enable this app to authenticate? It would be a very usefull thing.

  • Matthts,

    thanks for continuing to develop this product.

    I would also like the see the capability to enter user credentials prior to connecting to the target Virtual Server. Before I found this thread I resorted to a) examining firewall logs and b) firing up Ethereal to try to figure out what was going wrong.

    I have an environment where neither the system hosting VMRCplus nor the system hosting Virtual server are domain joined.

    For now I will have to RDP into the system running Virtual Server.

    Best Regards

    John Holmblad

  • Create a new shortcut to the application and use the RUNAS command:

    C:\Windows\System32 runas.exe /u:ENTER YOUR DOMAIN CREDENTIALS(eg. microsoft\bgates) "C:\Program Files\Microsoft VMRCplus\vmrcplus.exe"

  • All'interno dell'area di download del TechNet Magazine , è stato pubblicata la nuova versione 1.6 di

  • For those of you looking to give non-administrators access to VMRC+ remotely, there is a workaround. The article above indicates that in order to use VMRC+ remotely, the user must be a member of the administrators group of the Virtual Server Host:

       "An additional requirement exists in the remote   scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host."

    If you place the user in the "Distributed COM Users" group, you can avoid giving them administrator privileges to the Virtual Server Host.

  • Hi, I had the error "Access is denied. (Exeption from HRESULT:0x80070005 (E_ACCESSDENIED)) when using VMRCPlus from an XP client, even though the computer was in the same domain and the user was logged in as a domain administrator (test system of course).

    I found the the client's DNS settings were incorrect. Once DNS server added it worked fine. The message seems a little misleading.

    I thought I'd pass this on since it took me sometime to find it.

  • The access denied message is a result which is returned by the Virtual Server COM object. I have no control over it as to what circumstances cause this. Incorrect DNS usually causes a lot of auth issues so that does not surprise me. :-)

  • I am also getting the message of "Access is denied. (Exeption from HRESULT:0x80070005 (E_ACCESSDENIED))" at a Windows XP client. Generally I am using this client as a testing terminal to host my virtual machines. I have Virtual Server R2 SP1 and Virtual PC installed on this machine.

    As I found this VMRCPlus tools, I would like to manage the virtual machines via VMRCPlus but no luck of getting it running.

    The client terminal is not joined to any domains and the VMRCPlus is running under the default Administrator user in Windows XP. I have not select the VMRCPlus API during the installation.

  • We've got a virtual server 2005 host in our domain, and we've got a few user accounts that need to connect to the virtual servers being hosted.

    I've added the user to the Local Administrators group on the virtual server 2005 host. However, when said user uses VMRCplus he can see the machines, but as soon as he tries to open the Console Manager, it asks for credentials. Said user cannot authenticate with his domain user credentials (that are part of local administrator on virtual server 2005 host), but authenticating with domain administrator credentials works fine.

    What am I missing here?

  • What good is a tool if it doesn't work?

    Seems we'll have to use remote desktop or VNC instead of vmrc plus. Silly and daft for providing the functionality... andit's not working.

  • In the service console DCOM object components should establish the identity of the user object VMRCActiveXClient DCOM.

    The default is the initial user. By specifying a user with sufficient rights , work properly.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment