locked
SCVMM Remotedesktop RRS feed

  • Question

  • Hi!
     
    We're playing around with the Hyper-V with SCVMM - now, we have several VM's installed and they're in member of a domain. Now, when using SCVMM i can see my assigned machines, there is also the functionality to connect to them via the Remotedesktop. Unfortunately when i try to use them i have not a chance to use the domain logon, seems that only a local account can logon this way, is this correct? If so, is there any chance to change this to make domain logon's available? By the way, when i go direct via the Hyper-V Host (double-clicking the vm) i can use the logon via Domain (dropdown available and works) - i tried already to logon via scvmm with domain\username (without success)


    Thanks in advance,
    Matthias
    Monday, December 15, 2008 9:55 AM

Answers

  • Hi Matthias,

    Just to give you a quick description of the way this works - when you add a user to an SCVMM user role, that user account is given access to connect to Hyper-V machines which are in the scope of that role. In addition to this, all Administrators on the Hyper-V host automatically have access to remotely connect to the hyper-v server and control the vms. When you login to the SCVMM administrative console, you will be doing so under a domain account who is also a SCVMM admin or delegated admin. This account will have been granted access to the hyper-v server so connections to vms on that host should work without the system needing to prompt for credentials. It sounds like you are hitting an issue trying to connect at this point? If you can describe the connection error in more detail I might be able to help with that.

    Anyway, to answer your question directly, yes, whatever account you used to run the SCVMM administrative console is the very account that will be used to connect to the hyper-v server. Basically if the user account you attempt to connect with is "known" by the remote system as a domain user, but is not authorized in the AzMan store to access Hyper-V, then it will fail outright and will not prompt for additional credentials. If the user account is completely unknown to the hyper-v server then it will prompt for alternative credentials. The first case theoretically should never be hit since we give each SCVMM user appropriate permissions in the AzMan store, but certain environmental configurations can cause this to fail. For example, CredSSP single sign on technology is required to establish a full connection to the hyper-v server. This is required both on the client and on the hyper-v server. What operating system are you running your SCVMM administrative console under? If you can give me a few details I can help you get this working. On a side note, there is a way to force the system to always prompt for credentials, but that could get annoying having to enter them every time you connect. We should probably just look into why the connection isn't working as is.

    -James


    Monday, December 15, 2008 7:53 PM

All replies

  • Hi Matthias,

    Just to give you a quick description of the way this works - when you add a user to an SCVMM user role, that user account is given access to connect to Hyper-V machines which are in the scope of that role. In addition to this, all Administrators on the Hyper-V host automatically have access to remotely connect to the hyper-v server and control the vms. When you login to the SCVMM administrative console, you will be doing so under a domain account who is also a SCVMM admin or delegated admin. This account will have been granted access to the hyper-v server so connections to vms on that host should work without the system needing to prompt for credentials. It sounds like you are hitting an issue trying to connect at this point? If you can describe the connection error in more detail I might be able to help with that.

    Anyway, to answer your question directly, yes, whatever account you used to run the SCVMM administrative console is the very account that will be used to connect to the hyper-v server. Basically if the user account you attempt to connect with is "known" by the remote system as a domain user, but is not authorized in the AzMan store to access Hyper-V, then it will fail outright and will not prompt for additional credentials. If the user account is completely unknown to the hyper-v server then it will prompt for alternative credentials. The first case theoretically should never be hit since we give each SCVMM user appropriate permissions in the AzMan store, but certain environmental configurations can cause this to fail. For example, CredSSP single sign on technology is required to establish a full connection to the hyper-v server. This is required both on the client and on the hyper-v server. What operating system are you running your SCVMM administrative console under? If you can give me a few details I can help you get this working. On a side note, there is a way to force the system to always prompt for credentials, but that could get annoying having to enter them every time you connect. We should probably just look into why the connection isn't working as is.

    -James


    Monday, December 15, 2008 7:53 PM
  • Hello James,

    The first a big "thank you" for your very clear explanation! Following i will explain exactly the steps i do, hopefully this give you a idea of my error :)

    Some Details:

    Hyper-V Host:

    OS: Windows 2K8 / 64bit / SP1

    Here is a screenshot of the hyper-v version




    SCVMM Host:

    OS: Windows 2K8 / 64bit / SP1

    Here is a screenshot of the SCVMM version

    First Scenario:

    1. Logon to Hyper-V Host
    2. Open Hyper-V Console
    3. Doublecklick a Virtual Machine
    4. I can logon to the machine with a domain account and select the domain i want to use

    Here you can see a screenshot


    Second Scenario:

    1. Open SSC (http://10.10.10.126:8080)
    2. Login with my user credentials
    3. Select the vm that i want to connect via RDP
    4. Click on the "connect through Remotedesktop" button

    Here you can see a screenshot



    5. I cannot logon to the machine with a domain account and i cannot select the domain i want to use.

    Here you can see a screenshot



    Hopefully this is clear enough, my english isn't very well, so, i have to work with arms and feeds to get other a understanding of my issue :)

    kind regards,
    Matthias
    Tuesday, December 16, 2008 8:16 AM