Welcome to TechNet Blogs Sign in | Join | Help

Matthijs' blog

VMRCplus and other things.

By Matthijs ten Seldam

News

  • Welcome to my blog on
  • VMRCplus


    • I am a Principal Consultant with Microsoft Consulting Services focused on virtualization. I am co-author of "Virtualization with Microsoft Virtual Server 2005".

    Virtualization with Microsoft Virtual Server 2005

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion. Inappropriate comments will be deleted at the authors discretion.
VMRCplus and authentication

VMRCplus has no support for alternate credentials. This means that in order to manage a Virtual Server remotely, both the machine with VMRCplus and the Virtual Server host must be in the same forest. You may wonder why VMRCplus does not support alternate credentials. Both the VMRC client and the Virtual Server Administration Website support this. Or do they only seem to support this?

The VMRC client is the standalone client which comes with Virtual Server. It is used to connect to the VMRC Server port, configured on the Virtual Server host. By default, the VMRC Server uses TCP port 5900.
When connecting using VMRC client, it connects using the single TCP port to the Virtual Server VMRC service. Authentication is built-in with the VMRC server; if authentication is required the server responds to the VMRC client with an authentication request which results in an authentication dialog to the user.
VMRCplus does not communicate using the VMRC port. This is sometimes misunderstood. VMRCplus only uses the VMRC port when opening remote control sessions in the Console Manager. That is where the VMRC port is being used.

The Virtual Server Administration Website (vswebapp.exe) is a web application hosted on Internet Information Services (IIS). In a default configuration, IIS is installed on the Virtual Server host and vswebapp.exe is installed on IIS. When connecting from a remote client using Internet Explorer (IE) you communicate with the web application (vswebapp.exe). If authentication is required, IE shows an authentication dialog which is the result of the web application os IIS. Basically you authenticate to IIS using alternate credentials if integrated logon fails. Important to understand that up to this point, Virtual Server has not been involved in authentication. Only after authentication has been performed, vswebapp.exe uses these credentials to 'connect' to Virtual Server. If that fails, it fails. So Virtual Server expects proper credentials and if not provided, access is denied.
Vswebappe.exe accesses Virtual Server using COM in this scenario because vswebapp.exe is local to the Virtual Server host. However the Virtual Server COM object has no support for alternate credentials.
VMRCplus can be compared in this scenario when installed locally on the Virtual Server host. If your current credentials are sufficient, you get access according to your privileges. If not, you simply get an access denied message ('... server does not exist or insufficient privileges...").

When VMRCplus is used in a remote scenario it uses DCOM to access Virtual Server. As mentioned before, Virtual Server does not support alternate credentials. Also in this scenario, your authentication is performed implicitly and only succeeds when both the VMRCplus machine and remote Virtual Server host are in the same forest.

An additional requirement exists in the remote scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host. If this requirement is unacceptable for you, you must use VMRCplus locally on the Virtual Server host. You can offer the VMRCplus user RDP to the Virtual Server host and limit its privileges on the host. VMRCplus has been designed for RDP usage.

 

Posted: Tuesday, July 10, 2007 11:36 AM by matthts

Comments

Keith Combs' Blahg said:

For those of you running Microsoft Virtual Server , we have a new treat in store for you. Originally

# July 14, 2007 1:35 PM

fgallardo said:

Will you enable this app to authenticate? It would be a very usefull thing.

# October 15, 2007 12:34 PM

jholmblad said:

Matthts,

thanks for continuing to develop this product.

I would also like the see the capability to enter user credentials prior to connecting to the target Virtual Server. Before I found this thread I resorted to a) examining firewall logs and b) firing up Ethereal to try to figure out what was going wrong.

I have an environment where neither the system hosting VMRCplus nor the system hosting Virtual server are domain joined.

For now I will have to RDP into the system running Virtual Server.

Best Regards

John Holmblad

# October 17, 2007 3:37 PM

fgallardo said:

Create a new shortcut to the application and use the RUNAS command:

C:\Windows\System32 runas.exe /u:ENTER YOUR DOMAIN CREDENTIALS(eg. microsoft\bgates) "C:\Program Files\Microsoft VMRCplus\vmrcplus.exe"

# October 18, 2007 11:38 AM

$ClaudioG.Blog = $True said:

All'interno dell'area di download del TechNet Magazine , è stato pubblicata la nuova versione 1.6 di

# October 26, 2007 7:15 AM

GeniusOfVirtualWorlds said:

For those of you looking to give non-administrators access to VMRC+ remotely, there is a workaround. The article above indicates that in order to use VMRC+ remotely, the user must be a member of the administrators group of the Virtual Server Host:

   "An additional requirement exists in the remote   scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host."

If you place the user in the "Distributed COM Users" group, you can avoid giving them administrator privileges to the Virtual Server Host.

# February 11, 2008 4:29 PM
Anonymous comments are disabled
Page view tracker