none
vmconnect with basic authentication and https/TLS?

    Question

  • Actually the title already expresses the essence. I would like to use vmconnect to connect to virtual machines on a different host and as the client is not necessarily a domain member or using the same identities, I would like to enable basic authentication. I can enable basic authentication using gpedit, however it clearly warns that when using http the password is sent unencrypted. I would like to mitigate this by forcing any winrm/winrs/vmconnect connection to be encrypted using https, however I haven´t found any command line option to vmconnect or configuration setting that allows me to enforce that. Is this really impossible or have I just not been digging deep enough??
    Thanks & Best regards, Joachim
    Monday, February 6, 2017 6:25 PM

All replies

  • Hi Joachim,

    >>however I haven´t found any command line option to vmconnect or configuration setting that allows me to enforce that

    As far as I know, there has no other ways to deploy it.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 7, 2017 5:37 AM
  • I find lots of instructions on how to enable basic authentication accross an unsecure channel - seems there is a real need. Do you have any suggestion on how to achieve this securely? 

    Thanks, Joachim

    Thursday, February 9, 2017 6:33 PM
  • Hi Joachim,

    You could deploy RDP to achieve the goal, and RPD could use TLS to authenticate data from user.

    Here is information about VMConnect Enhanced Mode for your reference:

    https://blogs.technet.microsoft.com/askperf/2013/10/18/windows-8-1-windows-server-2012-r2-vmconnect-enhanced-mode-rdp-over-vmbus/

    Or another way is you could encrypt data between devices, and create IPsec between two devices, like firewall.

    Here is IPsec information for your reference:

    What Is IPsec?

    https://technet.microsoft.com/en-us/library/cc776369(v=ws.10).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by John Lii Monday, February 13, 2017 7:24 AM
    Friday, February 10, 2017 7:47 AM
  • Hi John,

    can you please be more specific of what you mean with "RDP with vmconnect"? Are you meaning clienst should first use RDP to go to the Hyper-V host and then use vmconnect locally? Or is there a means to connect with RDP (mstsc.exe) to a VM even though it is not running yet. 

    Or let me put it differently: the differences I see - based on my previous experience, please correct if I am wrong - between vmconnect and mstsc are:

    (1) vmconnect connects to a vm before the OS is running

    (2) mstsc kind of authenticates against the target OS, vmconnect against the host OS (or domain)

    (3) vmconnect uses the same endpoint for multiple vms, whereas with mstsc.exe there is a distinct endpoint for every VM (different virtual host and IP address). 

    I am aware that the RDP protocoll has been updated to address (3), but I am not aware of how to tell mstsc.exe to take advantage of that. Do I need to run an RDP gateway for that? How?

    W.r.t. IPSEC: I am looking into this option to ensure encryption of the channel, also for other applications. At present I am planning to set up a strongswan with IKEv2 and authenticating against my AD..

    Thanks & Best regards, Joachim

    Friday, February 10, 2017 1:44 PM
  • Hi Joachim,

    >>Are you meaning clienst should first use RDP to go to the Hyper-V host and then use vmconnect locally?

    No, what I mean is that you could connect to VM by RDP(mstsc.exe).

    Here is secure RDS connection for your reference:

    https://technet.microsoft.com/en-us/library/ff458357.aspx

    >>(1) vmconnect connects to a vm before the OS is running

    (2) mstsc kind of authenticates against the target OS, vmconnect against the host OS (or domain)

    Yes, you are correct.

    >>but I am not aware of how to tell mstsc.exe to take advantage of that. Do I need to run an RDP gateway for that?

    You could post it on RDP forum to get effect support.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    • Edited by John Lii Monday, February 13, 2017 7:41 AM
    Monday, February 13, 2017 6:53 AM
  • Hi Joachim,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 27, 2017 9:45 AM
  • 1) vmconnect connects to a vm before the OS is running

    Kinda, sorta.  When the VM is not running, when you connect to the VM you are really connecting to the settings of the VM.  When the VM is running, a 'modified' RDP connection is made to the running OS.

    What are you trying to do?  Are you trying to connect to the operating system of the VM or are you trying to connect to make changes to the VM configuration?  It makes a difference on what you want to connect to.  If connection to the VM OS is desired, then you can most likely handle it with RDP to the VM.  If you want to make setting changes, that could be handled by RDP to the host.


    . : | : . : | : . tim

    Monday, February 27, 2017 1:19 PM