VM keeps credentials of creator

[Mr Jolly]

I have created a VM which is imported to an ICT suite ( Windows Domain with server 2008/12 and Windows 7 ) with both host and guest operating systems as Windows 7 32 bit, VirtualBox 4.3.12

The VM was created by Admin account but when used by pupil accounts the proxy / web filter identifies the user as Admin rather than the pupil account that is logged in at the time.

This happens with the NIC set to either NAT or Bridged ( so I have had to change them to Host Only for the time being ).

Is there a way to force the VM or VirtualBox to use the currently logged on user ( on the host ) as the authenticated user for the internet ?

[mpack]

If you're using NAT then by definition you're using the host's network connection and will appear from the outside to be the host. In this case the VM is the same as any other network-aware app running on the host PC, and is a primary reason for choosing NAT.

I would not have expected the same behaviour with "bridged". In fact I'd venture to say that it's impossible and you should check again. Bridged implements an entirely independant protocol stack, down to the NIC driver level.

[socratis]

Is there a way to force the VM or VirtualBox to use the currently logged on user ( on the host ) as the authenticated user for the internet ?

Maybe I read the OP differently, but, what I think he means is; if I log in the host as "socratis" and then launch the VM, the traffic from the VM does not come with the credentials of "socratis" but as "Admin", the same user that created the VM.

Mr Jolly, are you using the same VM for all pupils with auto-login enabled?

[Mr Jolly]

if I log in the host as "socratis" and then launch the VM, the traffic from the VM does not come with the credentials of "socratis" but as "Admin", the same user that created the VM.

Yes, this !!! Didn't know if anyone would get what I was talking about. Yes it's the same VM, I created it and exported the appliance to a shared network drive so that I could use VBoxManage to deploy it to the 70 odd workstations that require it.

Have I done something in the creation to cause this ?

[Martin]

The VM is a complete independent PC.
So the Windows inside the VM doesn't care who is running the host, it just logs on as it is configured.
Do all the pupils logon to the VM with their own credentials?

[Mr Jolly]

The VM has a generic user ( called user ) as the only logon with no password so it logs on automatically. It has two shared drives , the users network documents and an area shared with all users.

[mpack]

So the scenario is reversed with respect to what I thought was intended, but the rules are the same: NAT means you are using the host internet connection, bridged means the guest is entirely independant and you should treat the guest VM as you would a separate PC - which e.g. means logging on to it properly.

[Mr Jolly]

Thanks for the recap, it made me wonder whether the authentication of the mapped shared drives has something to do with the validation errors. Could the VM hold on to these credentials as part of the 'export appliance' process ?

[Martin]

The "export appliance" doesn't change anything inside the guest, so everything you defined/configured inside the guest Windows will stay.

[socratis]

Think of it like that:

• You have a room with a locker per student. Every student has their own key (login credentials).
• Each locker contains an identical laptop (the VM).
• The laptops connect to the internet, either via public wall sockets (Bridged), or by a wall socket in their own locker (NAT).
• The traffic from their own locker (NAT) can be traced back to them.
• The web traffic after they login in their proxy/webfilter will be traced back to whatever credentials were provided to the proxy/webfilter.
• Since the credentials are the same (remember, identical laptops), the web traffic will show up with those same credentials.

Solution: Do not use pre-defined credentials in the VM, but let each student provide them at runtime.

[Mr Jolly]

I'm not sure what 'pre-defined' credentials you mean. There were none input by me directly so I can only assume it is related to the shared drives. The students are not allowed to do anything to the VM as it is set to be immutable and they can't have access to the VB Gui either as there are other VMs for other purposes that they are not allowed access to.

I will have to try making a new VM on a non-networked pc so it doesn't pick up any 'bad-habits' from its creator account.

Thanks for your input so far.