Partager via


VMRCplus and authentication

VMRCplus has no support for alternate credentials. This means that in order to manage a Virtual Server remotely, both the machine with VMRCplus and the Virtual Server host must be in the same forest. You may wonder why VMRCplus does not support alternate credentials. Both the VMRC client and the Virtual Server Administration Website support this. Or do they only seem to support this?

The VMRC client is the standalone client which comes with Virtual Server. It is used to connect to the VMRC Server port, configured on the Virtual Server host. By default, the VMRC Server uses TCP port 5900.
When connecting using VMRC client, it connects using the single TCP port to the Virtual Server VMRC service. Authentication is built-in with the VMRC server; if authentication is required the server responds to the VMRC client with an authentication request which results in an authentication dialog to the user.
VMRCplus does not communicate using the VMRC port. This is sometimes misunderstood. VMRCplus only uses the VMRC port when opening remote control sessions in the Console Manager. That is where the VMRC port is being used.

The Virtual Server Administration Website (vswebapp.exe) is a web application hosted on Internet Information Services (IIS). In a default configuration, IIS is installed on the Virtual Server host and vswebapp.exe is installed on IIS. When connecting from a remote client using Internet Explorer (IE) you communicate with the web application (vswebapp.exe). If authentication is required, IE shows an authentication dialog which is the result of the web application os IIS. Basically you authenticate to IIS using alternate credentials if integrated logon fails. Important to understand that up to this point, Virtual Server has not been involved in authentication. Only after authentication has been performed, vswebapp.exe uses these credentials to 'connect' to Virtual Server. If that fails, it fails. So Virtual Server expects proper credentials and if not provided, access is denied.
Vswebappe.exe accesses Virtual Server using COM in this scenario because vswebapp.exe is local to the Virtual Server host. However the Virtual Server COM object has no support for alternate credentials.
VMRCplus can be compared in this scenario when installed locally on the Virtual Server host. If your current credentials are sufficient, you get access according to your privileges. If not, you simply get an access denied message ('... server does not exist or insufficient privileges...").

When VMRCplus is used in a remote scenario it uses DCOM to access Virtual Server. As mentioned before, Virtual Server does not support alternate credentials. Also in this scenario, your authentication is performed implicitly and only succeeds when both the VMRCplus machine and remote Virtual Server host are in the same forest.

An additional requirement exists in the remote scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host. If this requirement is unacceptable for you, you must use VMRCplus locally on the Virtual Server host. You can offer the VMRCplus user RDP to the Virtual Server host and limit its privileges on the host. VMRCplus has been designed for RDP usage.

Comments

  • Anonymous
    January 01, 2003
    Create a new shortcut to the application and use the RUNAS command: C:WindowsSystem32 runas.exe /u:ENTER YOUR DOMAIN CREDENTIALS(eg. microsoftbgates) "C:Program FilesMicrosoft VMRCplusvmrcplus.exe"

  • Anonymous
    January 01, 2003
    All'interno dell'area di download del TechNet Magazine , è stato pubblicata la nuova versione 1.6 di

  • Anonymous
    January 01, 2003
    We've got a virtual server 2005 host in our domain, and we've got a few user accounts that need to connect to the virtual servers being hosted. I've added the user to the Local Administrators group on the virtual server 2005 host. However, when said user uses VMRCplus he can see the machines, but as soon as he tries to open the Console Manager, it asks for credentials. Said user cannot authenticate with his domain user credentials (that are part of local administrator on virtual server 2005 host), but authenticating with domain administrator credentials works fine. What am I missing here?

  • Anonymous
    January 01, 2003
    For those of you running Microsoft Virtual Server , we have a new treat in store for you. Originally

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Matthts, thanks for continuing to develop this product. I would also like the see the capability to enter user credentials prior to connecting to the target Virtual Server. Before I found this thread I resorted to a) examining firewall logs and b) firing up Ethereal to try to figure out what was going wrong. I have an environment where neither the system hosting VMRCplus nor the system hosting Virtual server are domain joined. For now I will have to RDP into the system running Virtual Server. Best Regards John Holmblad

  • Anonymous
    January 01, 2003
    Will you enable this app to authenticate? It would be a very usefull thing.

  • Anonymous
    January 01, 2003
    For those of you looking to give non-administrators access to VMRC+ remotely, there is a workaround. The article above indicates that in order to use VMRC+ remotely, the user must be a member of the administrators group of the Virtual Server Host:    "An additional requirement exists in the remote   scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host." If you place the user in the "Distributed COM Users" group, you can avoid giving them administrator privileges to the Virtual Server Host.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    I am also getting the message of "Access is denied. (Exeption from HRESULT:0x80070005 (E_ACCESSDENIED))" at a Windows XP client. Generally I am using this client as a testing terminal to host my virtual machines. I have Virtual Server R2 SP1 and Virtual PC installed on this machine. As I found this VMRCPlus tools, I would like to manage the virtual machines via VMRCPlus but no luck of getting it running. The client terminal is not joined to any domains and the VMRCPlus is running under the default Administrator user in Windows XP. I have not select the VMRCPlus API during the installation.

  • Anonymous
    September 14, 2010
    The comment has been removed