cancel
Showing results for 
Search instead for 
Did you mean: 

SSO with Microsoft Virtual Server VMRC protocol

Highlighted
Occasional Contributor

SSO with Microsoft Virtual Server VMRC protocol

Hi,

I would like to publish the Microsoft Virtual Server 2005 R2 website through the IVE. Here is what I have done:

1. I created a Web bookmark for the Virtual Server 2005 website (https://vs-host1/VirtualServer/VSWebApp.exe)
2. The web server is not part of the domain but belongs to a workgroup. To provide a smooth user experience, I created a BasicAuth and NTLM policyÓ that automatically sends the Administrator credentials of the server when the web bookmark is accessed through NTLM.
3. The access to the virtual machine is implemented through an ActiveX control (Virtual Machine Remote Control client)
4. This ActiveX control tries to connect to the Virtual Server machine through port TCP 5900.
5. To allow the control to connect I implemented a JSAM policy that publishes port 5900 of the respective host.

Everything works fine except one thing: The VMRC protocol uses either Kerberos or NTLM to authenticate. When the VMRC connection is established an authentication window opens where I have to provide the server credentials (VMRC Negotiate Authentication). These credentials are the same as the one needed to open the website.

But contrary to the website, there seems no possibility to me to provide SSO for the VMRC protocol through JSAM. Does anyone see a method to cope with this? I would like to avoid that the user has to enter server credentials.

Regards,
Dominik
5 REPLIES 5
Highlighted
New Contributor

Re: SSO with Microsoft Virtual Server VMRC protocol

Dominick, did you ever get any more information related to this? I'm attempting to do the same thing, but I'm not using JSAM, I'm using WSAM. When I connect to my Virtual Server web interface I am able to get to the list of virtual machines, but when I try to remote control one of them it simply says Not Connected on the virtual machine remote control window.
Can you share any details about how to get this to work?
Highlighted
Occasional Contributor

Re: SSO with Microsoft Virtual Server VMRC protocol

Hi,

According to your post I understand that you would like to have some explanation how I published my Microsoft Virtual Server 2005 R2 website with the help of JSAM. Is that correct?

Well first let me mention the specifications:

1. The FQDN of my Virtual Server machine is vs-host1.geblergasse95.local
2. I configured the website to listen on the default port 443 by SSL in addition to the default port number 1024. You have to adopt the settings in my explanation if you use http instead of https and port 1024 instead of 443
3. I didnÕt change the port tcp/5900 for the VMRC protocol

Here is what I have done:

1. I created a web bookmark with the url https://vs-host1.geblergasse95.local
2. I activated the Auto-allow BookmarkÓ option with the parameter Everything under this URLÓ to bypass the need for create an allow rule manually.
3. I wanted that every user should log on to the Virtual Server website with the built in Administrator account to the machine. To provide a smooth user experience, I used the SSO feature. I created a policy under Resource Policy > Web > BasicAuth and NTLM policies. I called it Enable logon to vs-host1Ó, defined https://vs-host1.geblergasse95.local:443/* as the resource and set the Action to NTLM, Use Specified Credentials for SSO and provide the Username, Password, and domain of the built in Administrator account of the machine. DonÕt forget to enable Integrated Windows AuthenticationÓ for the VS website in the Internet Information server.
4. To come to the JSAM part, I created a resource policy to allow the access to vs-host1.geblergasse95.local over port 5900.
5. Then I added a JSAM application under the User role with name vs-host1Ó and specified vs-host1.geblergasse95.local as hostname and Server Port = Client Port = 5900.
6. Now when I start JSAM through the web portal I was able to both open the VS website through the web bookmark without providing user credentials and accessing the server through the VMRC ActiveX control.

I havenÕt activated the option to automatically launch JSAM through the web bookmark but it should work fine.

It should work the very same way if you use WSAM instead of JSAM. If you experience problems with the [JW]sam part, I would recommend the following basic diagnosing steps:

1. Can you resolve the name of the virtual server host on your client? Try ping. If it doesnÕt work check the hosts file under %Systemroot%\system32\drivers\etc.
2. Can you connect to the port 5900? You can use telnet hostname 5900 to check that. If it displays a blank screen it works.
3. Check the User access log file on the IVE under System / Log/Monitoring / User Access / Log. You have to first activate the SAM logging under System / Log/Monitoring / User Access / Settings. Enable SAM/Java under Select Events to log.
4. Check the local WSAM logs. They should reside on your machine under the %Userprofile%\Application Data\Juniper Networks\Secure Application Manager and are named dsSamEvent.log and dsSamDebug.log. You have to enable client side logging for WSAM on the IVE under System / Log/Monitoring / Client Logs / Settings.

I hope that helps.

Regards,
Dominik
Highlighted
New Contributor

Re: SSO with Microsoft Virtual Server VMRC protocol

Gotcha, well I'm seeing a little bit different behavior. I'm not sure if I'm doing something wrong or not, but here is what I'm seeing:
When I use the web resource, and I have created a WSAM destination allowing *:5900, I am able to bring up the list of virtual machines (which for me works over HTTP on port 1024) but when I select a virtual machine for VMRC it is not able to connect on port 5900. The WSAM client logs the following message:
"connection failed to host 255.255.255.255:5900: Failed to connect to server"
On the upside I was finally able to get something working by creating an additional WSAM destination for *:1024. This doesn't use the web resource at all, but allows me to use my browser to connect to the web interface. One thing that bears mentioning here is that I can ONLY connect to my virtual server using the FQDN not just the machine name (so http://vserver02.trcr.com:1024/ works, but http://vserver02:1024 does not work for some reason). Using the FQDN of the server I can connect and I can ALSO then connect to the VMRC. The only thing about this solution is that it prompts me for a username and password for the VMRC.
Did you ever get the SSO working for your VMRC on port 5900?
Highlighted
Occasional Contributor

Re: SSO with Microsoft Virtual Server VMRC protocol

Hi,

I'm glad to hear that your solution with WSAM finally worked. I was not able to get SSO for the VMRC protocol working. I think the IVE would need special support for that protocol.

255.255.255.255 is the global broadcast address. I it strange to see WSAM trying to connect to it. Have you had a look at the WSAM application definition?

I would generally recommend using the FQDN of a server in every resource definition compared to just the hostname. You can use the IVE's troubleshooting tools to see if the hostname without the domain part can be successfully resolved to its IP address. In that case, just the hostname should be fine. In addition, it may help to provide a WINS server if you have one in you network to resolve NetBIOS names.

Regards,
Dominik
Highlighted
New Contributor

Re: SSO with Microsoft Virtual Server VMRC protocol

Well, thanks for your help. I've opened a support case with Juniper, so maybe they will be able to find a way to get the VMRC SSO working.
I think the 255.255.255.255 address is coming back as part of the application re-writing process for the web resource. I'm not sure of that, but it is the only thing I can come up with. There is definitely nothing in the web resource definition that would be giving it 255.255.255.255 as an address, or in the WSAM destinations.
The issue with using just the hostname isn't a big deal, but it is still strange. The name resolution functions correctly, b/c it returns the IP of the device in the WSAM client log. The only reason I wanted to use just the hostname is b/c by using the hostname alone you can use passthrough authentication, and then it doesn't ask you for a password for the 1024 site, or for the VMRC. Realistically the passthrough authentication may be the exact reason the site doesn't work using just the hostname.
In any case if I find out anything from Juniper support I'll let you know. Thanks!