Page 1 of 2

External authentication not working on VRDP

Posted: 3. Jun 2009, 16:02
by avok00
00:05:07.627 VRDPAUTH: User: [inka]. Domain: []. Authentication type: [External]
00:05:07.628 VRDPAUTH: ConsoleVRDPServer::Authenticate: loading external authentication library 'VRDPAuth'
00:05:07.630 VRDPAUTH: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND
00:05:07.630 VRDPAUTH: Using entry point 'VRDPAuth'.
00:05:07.631 VRDPAUTH: external authentication module returned 'access denied'
00:05:07.631 VRDPAUTH: Access denied.

The users has all rights but he cannot login. no user can login, always 'access denied'

Host VIsta Business SP1. guest windows XP SP3, VirtualBox 2.2.4 r47978 win.amd64 (May 29 2009 18:44:42) release
This is also true for all versions up to the latest 3.04

Re: External authentication not working on VRDP - 2.2.4

Posted: 8. Sep 2009, 19:36
by avok00
Can anyone explain why the bug ticket on this issue stayed open for two months and no one is paying any attention to it?

http://www.virtualbox.org/ticket/4406

Re: External authentication not working on VRDP

Posted: 8. Sep 2009, 20:42
by Perryg
Well no I can't but if you put the (.virtualbox folder) that has the file (VRDPAuth.dll) in your path statement on Vista it will work.

Re: External authentication not working on VRDP

Posted: 8. Sep 2009, 23:26
by Sasquatch
User Manual, chapter 7.4.4 wrote: The "external" method provides external authentication through a special authentication library.
VirtualBox comes with two default libraries for external authentication:
  • On Linux hosts, VRDPAuth.so authenticates users against the host's PAM system.
  • On Windows hosts, VRDPAuth.dll authenticates users against the host's WinLogon system.
In other words, the "external" method per default performs authentication with the user accounts that exist on the host system. Any user with valid authentication credentials is accepted, i.e. the username does not have to correspond to the user running the VM.

Re: External authentication not working on VRDP

Posted: 9. Sep 2009, 11:01
by avok00
Perryg wrote:Well no I can't but if you put the (.virtualbox folder) that has the file (VRDPAuth.dll) in your path statement on Vista it will work.
Thanks pal, but it won't work :(

I put vbox home C:\Program Files\Sun ... where this VRDPAuth.dll is to windows user path, tried system path, I tested it, I was able to run the vbox command line tools from everywhere.

But when trying external VRDP I still get this in the logs

00:10:40.057 VRDP: Client seems to be MSFT.
00:10:40.057 VRDP: Logon: BORIS-HAMANOV (192.168.180.111) build 6002. User: [inka] Domain: [] Screen: 0
00:10:40.058 VRDPAUTH: User: [inka]. Domain: []. Authentication type: [External]
00:10:40.059 VRDPAUTH: ConsoleVRDPServer::Authenticate: loading external authentication library 'VRDPAuth'
00:10:40.088 VRDPAUTH: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND
00:10:40.100 VRDPAUTH: Using entry point 'VRDPAuth'.
00:10:40.101 VRDPAUTH: external authentication module returned 'access denied'
00:10:40.101 VRDPAUTH: Access denied.
00:10:40.101 VRDP: Connection closed:


The user has full administrative rights

Re: External authentication not working on VRDP

Posted: 9. Sep 2009, 15:00
by Perryg
What are the guest settings for VM that you are trying to access? IE: the server port? By default it is 3389 and more than likely is in conflict with one that is already setup for MS remote.

Also you do not RDP into the VM. You VRDP into the host with the connection port. (just in case you are not familiar with it) 192.168.1.2:3390 where the 192.168.1.2 is the host IP not the guest IP.

Also after you set the path you did reboot the host machine, right?

Finally the user name and password are the user name and password for the host and not the VM. You do not need to be admin just in the user group of the host.

Re: External authentication not working on VRDP

Posted: 9. Sep 2009, 17:06
by avok00
Perryg wrote:What are the guest settings for VM that you are trying to access? IE: the server port? By default it is 3389 and more than likely is in conflict with one that is already setup for MS remote.

Also you do not RDP into the VM. You VRDP into the host with the connection port. (just in case you are not familiar with it) 192.168.1.2:3390 where the 192.168.1.2 is the host IP not the guest IP.

Also after you set the path you did reboot the host machine, right?

Finally the user name and password are the user name and password for the host and not the VM. You do not need to be admin just in the user group of the host.
Thank you for the information, I was not aware that the user must not be admin, this is good to know.

The rest I know, I connect succesfully to the VRDP, it works if I set the authentication to null. But this is not secure at all :) And in external authenthication mode it fails to authenticate me and it does this immediately even before the RD client had the chance to actually send the password.

It even worked a couple of times, then is stopped, then worked again. I guess it is another bug in the Vbox

Re: External authentication not working on VRDP

Posted: 9. Sep 2009, 17:07
by Sasquatch
I just tested the external on my Linux Host, with a Windows XP VM and it works just fine. I used the following command to connect to the VM:

Code: Select all

rdesktop-vrdp localhost -u sasquatch -p -
I use the supplied vrdp rdesktop version from VB, but the normal rdesktop would work just as well. The '-u' is for the user name, the '-p -' is to ask for my password before the connection is made. On Windows Hosts, you have the same kind of options. This is what I get in my VM log. Note that the first and last tries were without the explicit password or username for the connection:

Code: Select all

00:00:24.089 VRDP: New connection: 
00:00:24.113 VRDP: Flags 0x00000003
00:00:24.114 VRDP: Channel: [cliprdr] [1004]. Accepted.
00:00:24.116 VRDP: Client seems to be rdesktop.
00:00:24.116 VRDP: Logon: Lain (127.0.0.1) build 2600. User: [sasquatch] Domain: [] Screen: 0
00:00:24.116 VRDPAUTH: User: [sasquatch]. Domain: []. Authentication type: [External]
00:00:24.116 VRDPAUTH: ConsoleVRDPServer::Authenticate: loading external authentication library 'VRDPAuth'
00:00:24.126 VRDPAUTH: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND
00:00:24.126 VRDPAUTH: Using entry point 'VRDPAuth'.
00:00:27.707 VRDPAUTH: external authentication module returned 'access denied'
00:00:27.707 VRDPAUTH: Access denied.
00:00:27.708 VRDP: Connection closed: 
00:00:27.708 VRDP: Logoff: Lain (127.0.0.1) build 2600. User: [sasquatch] Domain: [] Reason 0x0001.
00:00:56.317 VRDP: New connection: 
00:00:56.335 VRDP: Flags 0x00000003
00:00:56.336 VRDP: Channel: [cliprdr] [1004]. Accepted.
00:00:56.338 VRDP: Client seems to be rdesktop.
00:00:56.339 VRDP: Logon: Lain (127.0.0.1) build 2600. User: [sasquatch] Domain: [] Screen: 0
00:00:56.340 VRDPAUTH: User: [sasquatch]. Domain: []. Authentication type: [External]
00:00:56.418 VRDPAUTH: external authentication module returned 'access granted'
00:00:56.418 VRDPAUTH: Access granted.
00:00:56.419 VBVA: VRDP acceleration has been requested.
00:01:08.149 VRDP: Received the Disconnect Request packet.
00:01:08.149 VRDP: Connection closed: 
00:01:08.149 VRDP: Logoff: Lain (127.0.0.1) build 2600. User: [sasquatch] Domain: [] Reason 0x0001.
00:01:08.149 VRDP: TCP server failed to send data to the client!!! Disconnecting the client.
00:01:08.149 VBVA: VRDP acceleration has been disabled.
00:01:11.960 VRDP: New connection: 
00:01:11.975 VRDP: Flags 0x00000003
00:01:11.976 VRDP: Channel: [cliprdr] [1004]. Accepted.
00:01:11.979 VRDP: Client seems to be rdesktop.
00:01:11.979 VRDP: Logon: Lain (127.0.0.1) build 2600. User: [sasquatch] Domain: [] Screen: 0
00:01:11.980 VRDPAUTH: User: [sasquatch]. Domain: []. Authentication type: [External]
00:01:15.205 VRDPAUTH: external authentication module returned 'access denied'
00:01:15.205 VRDPAUTH: Access denied.
00:01:15.205 VRDP: Connection closed: 
00:01:15.205 VRDP: Logoff: Lain (127.0.0.1) build 2600. User: [sasquatch] Domain: [] Reason 0x0001.

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 00:00
by avok00
Sasquatch wrote:I just tested the external on my Linux Host, with a Windows XP VM and it works just fine. I used the following command to connect to the VM:

Code: Select all

rdesktop-vrdp localhost -u sasquatch -p -
I use the supplied vrdp rdesktop version from VB, but the normal rdesktop would work just as well. The '-u' is for the user name, the '-p -' is to ask for my password before the connection is made. On Windows Hosts, you have the same kind of options. This is what I get in my VM log. Note that the first and last tries were without the explicit password or username for the connection:
The guy from Virtualbox development that looked into my logs said that for some reason the external auth modules fails. But he doesn't know why.

I guess the problem is with some custom setting on my side.

My system if fairly standard, it is used as a server, so almost no additional software installed, default settings mostly. One setting I can think of that is likely to affect it is System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" That is turned on in my system. For more information, plese refer to http://support.microsoft.com/kb/811833

I cannot turn that off due to security policies and current configurations. If somebody can test this, please do and post the result here. I also updated the bug status - http://www.virtualbox.org/ticket/4406

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 12:17
by Sasquatch
So you have also tried to connect to the VRDP server with already filled in username and password? From my tests, if either one is missing, the connection will be refused.

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 21:29
by avok00
Sasquatch wrote:So you have also tried to connect to the VRDP server with already filled in username and password? From my tests, if either one is missing, the connection will be refused.
If it refuses the connection before asking for the password, how can it know if you have the password :)
Maybe your test results have something to do with NLA (http://en.wikipedia.org/wiki/Network_Le ... entication)

Anyway for Vista RDP client I managed to solve the problem the following way:

Go to Control Panel\User Accounts - Manage your network passwords. This will give you options to Store your credentials for servers.
Just Add the TERMSRV/IPaddress|host of the sever or name you need to Log on to and Username and Password.
Select "A Web site or program Credential" as credential type and OK. (Save and exit)

This makes Vista save the password permanently and then it works with Virtual box VRDP. If I don't do this and try to connect, VIsta RDP client still asks me for user and password before the actual connection attempt (or at least it looks that way) but then it won't work. Very strange.

Unfortunately this trick is not for Windows XP. I tried with XP SP3, even enabled NLA, but no luck, it asks me for user and password, I tick the box that saves them, they are remembered successfuly. Still if fails to connect.

rdesktop is not for windows I am afraid

I don't know what to do :shock:

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 22:37
by Sasquatch
I know what you can do: report this as a bug in the Bugtracker (separate account needed). This isn't normal behaviour, the external authentication should ask for credentials, instead of waiting for them to be supplied and if they aren't, refuse the connection.

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 22:50
by Perryg
You know I remember having a problem similar to this. But the OP said that he could connect using <null> and I don't remember if that was the case for me or not. The problem that I found in the end was I needed to use a different port, still don't know why because it worked and I simply took it for what it was. The symptoms were the same right down to an immediate refusal. Once I changed to a different port I got the user name and password prompt.

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 23:04
by Sasquatch
Well, I just tested it with two VMs, one with VRDP enabled, the other playing the RDP client. Both were Windows XP, and because my host is Linux, I don't have port 3389 in use so that's ruled out of the equation. Now, when I tried to connect to my Host for the VRDP, it never asked for my username and password, but instead gave me two errors. Attached are the two errors I got, the last one is really strange because neither side has run out of memory (VMs have 512, and about 100 MB in use, Host has 3 GB of RAM, with more than 2 left).

Re: External authentication not working on VRDP

Posted: 14. Sep 2009, 23:19
by avok00
Sasquatch wrote:Well, I just tested it with two VMs, one with VRDP enabled, the other playing the RDP client. Both were Windows XP, and because my host is Linux, I don't have port 3389 in use so that's ruled out of the equation. Now, when I tried to connect to my Host for the VRDP, it never asked for my username and password, but instead gave me two errors. Attached are the two errors I got, the last one is really strange because neither side has run out of memory (VMs have 512, and about 100 MB in use, Host has 3 GB of RAM, with more than 2 left).
Thanks! Those are exactly the errors I get. So, this is not isolated case, only about my system! Please, update the bug here - http://www.virtualbox.org/ticket/4406 with your information, that should make them take this more seriously, I hope :roll: