virtualbox.org

Hi,

I want for a remote RDP user to only be able to access VBox guests and not the host OS. For this puprose I created a new group and added a user to it. I tried to login with this user to VRDP of one of the guests I am running, but no luck. I got

04:25:34.214 VRDPAUTH: User: [someuser]. Domain: []. Authentication type: [External]
04:25:34.215 VRDPAUTH: external authentication module returned 'access denied'
04:25:34.215 VRDPAUTH: Access denied.
04:25:34.215 VRDP: Connection closed:

Obviously the user has to have some permissions on the host system granted to him. The question is what? I don't want to give him any more than needed.

Don't use vrdp, stick with rdp or vnc, and use authentication from the Guest OS, much easier. Or add a radius server if you need a bit more.

vbox4me2 wrote:Don't use vrdp, stick with rdp or vnc, and use authentication from the Guest OS, much easier. Or add a radius server if you need a bit more.

I have a lot of very different guest OSes. Mainly windowses for now, but in the future could be some unix or even mac os. I don't think it is a good idea to rely on their RDP. Windows XP RDP is older and less secure and VNC is even worse. And I want one client for all of them too. Using internal guest authentication is also less secure and more problematic. I would have to manage too many different users and I have A LOT of guest OSes. And how the radius server fits on the whole picture?

Radius is OS universal and can be linked into AD or NDS.
Rdp server is also present in alot of linux OS's and rdp is far superiour to vnc.
Securing RDP is as simple as installing stunnel.
There is nothing wrong with rdp, I have clients running in 32bit depth mode for autocad on 22" screens.

vbox4me2 wrote:Radius is OS universal and can be linked into AD or NDS.
Rdp server is also present in alot of linux OS's and rdp is far superiour to vnc.
Securing RDP is as simple as installing stunnel.
There is nothing wrong with rdp, I have clients running in 32bit depth mode for autocad on 22" screens.

Thanks, I will consider that, but back to my original question, what are the needed permissions for external authentication module to allow a user through VRDP?

I granted the user the right to log on using remote desktop on the host system. That did the trick!

Here is my configurations:
Host OS: WinXP
Vbox: 2.2.4, choose "External" for authentication
Guest OS: Ubuntu 9.04
RDP Client:built-in with WinXP, 6.0

I found that you need always check the box "Always ask for credentials", when using RDP client to connect the VRDP server. Otherwise the connection always fails. I didn't investigate this issue deeply. But my guessing is that VRDP server isn't like the MS Terminal Service which can prompt a login dialog to RDP client to log in. VRDP server requires the client to send the user's credential in initial request. If VRDP server doesn't receive the user's credential, it just close the connection abrubtly. While without the checked box, RDP client is expecting the RDP server to send a login screen. This unmatch causes the failure.

Hope this info is helpful.

Regards,
Johnny