VirtualBox

Ticket #4406 (new defect)

Opened 5 years ago

Last modified 12 months ago

External authentication not working on VRDP

Reported by: avok00 Owned by:
Priority: major Component: RDP
Version: VirtualBox 3.0.0 Keywords: external authentication login access denied user rights
Cc: Guest type: Windows
Host type: Windows

Description

I could not get external auth to work

The user has all rights but he cannot login. no user can login with VRDP, always 'access denied'

I am attaching the log, you can see some other errors there in the external auth module.

Host Vista Business SP1. guest windows XP SP3, VirtualBox 3

Attachments

IvankaCh XP Pro 32-2009-07-06-12-29-45.log Download (59.7 KB) - added by avok00 5 years ago.
You can see the authentication failure here
Velin Vista Ult 32-2009-09-15-14-31-38.log Download (38.9 KB) - added by avok00 5 years ago.
one failed and one successful attempt

Change History

Changed 5 years ago by avok00

You can see the authentication failure here

comment:1 Changed 5 years ago by avok00

This also continues with latest version 3.0.4 !!! Do you have any intention of fixing it?

comment:2 Changed 5 years ago by sunlover

I can't reproduce the problem. External authentication works here with Vista host.

Do you run VBox as standard user or as administrator? Is UAC enabled or disabled on your host?

comment:3 follow-up: ↓ 4 Changed 5 years ago by avok00

I run it with administrative user, UAC is disabled.

Is this error normal: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND

00:10:40.057 VRDP: Client seems to be MSFT. 00:10:40.057 VRDP: Logon: BORIS-HAMANOV (192.168.180.111) build 6002. User: [inka] Domain: [] Screen: 0 00:10:40.058 VRDPAUTH: User: [inka]. Domain: []. Authentication type: [External] 00:10:40.059 VRDPAUTH: ConsoleVRDPServer::Authenticate: loading external authentication library 'VRDPAuth' 00:10:40.088 VRDPAUTH: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND 00:10:40.100 VRDPAUTH: Using entry point 'VRDPAuth'. 00:10:40.101 VRDPAUTH: external authentication module returned 'access denied' 00:10:40.101 VRDPAUTH: Access denied. 00:10:40.101 VRDP: Connection closed:

comment:4 in reply to: ↑ 3 Changed 5 years ago by sunlover

Replying to avok00:

I run it with administrative user, UAC is disabled.

Same here.

Is this error normal: Could not resolve import 'VRDPAuth2'. Error code: VERR_SYMBOL_NOT_FOUND

Yes, it is normal. 'VRDPAuth2' is an alternative entry point of the auth library. VBox uses either VRDPAuth or VRDPAuth, whatever is available. BTW, in latest VBox the "error" message is not logged anymore.

The default auth library on Windows uses LogonUser API with dwLogonType=LOGON32_LOGON_INTERACTIVE and dwLogonProvider=LOGON32_PROVIDER_DEFAULT. I do not know why this API fails on your system.

comment:5 Changed 5 years ago by avok00

If that "Could not resolve import 'VRDPAuth2'" is not an error, how do you know that the API fails? Maybe it just does not authenticate the user passed for some reason, maybe the way it is passed is wrong? I believe it don't even tries to really check if the password is correct. It fails really fast and the RDP client does not say that the user or password is incorrect, it immediately displays two messages, first is:

"Your Remote Desktop session has ended

Your network administrator might have ended the connectio. Try connecting again, or contact technical support for assistance."

and the second:

"Fatal Error (Error Code:5)

Your Remote Desktop session is about to end.

The computer might be low on virtual memomory. Close your other program, and then try connection to the remote computer again. ... more stuff here"

As to why it does not work, lets try to find out. My system if fairly standard, it is used as a server, so almost no additional software isntalled, default settings mostly. One setting I can think of that is likely to affect it is System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" That is turned on in my system. For more information, plese refer to  http://support.microsoft.com/kb/811833

Please, try to enable that in your system, restart everything and see if you can reproduce the problem.

If that is not the reason, maybe you can give me some clues, what else can it be. I am a developer myself, more than 10 year experience, unfortunately not with Win programming, but I can manage debug tools. If you tell me how, I can provide you more information to help you pinpoint the problem. Don't give up easy :)

comment:6 follow-up: ↓ 8 Changed 5 years ago by avok00

New information: for Vista RDP client I managed to solve the problem the following way:

Go to Control Panel\User Accounts - Manage your network passwords. This will give you options to Store your credentials for servers. Just Add the TERMSRV/IPaddress|host of the sever or name you need to Log on to and Username and Password. Select "A Web site or program Credential" as credential type and OK. (Save and exit)

This makes Vista save the password permanently and then it works with Virtual box VRDP. If I don't do this and try to connect, VIsta RDP client still asks me for user and password before the actual connection attempt (or at least it looks that way) but then it won't work. Very strange.

Unfortunately this trick is not for Windows XP. I tried with XP SP3, even enabled NLA, but no luck, it asks me for user and password, I tick the box that saves them, they are remembered successfuly. Still if fails to connect.

Unfortunately I need VRDP to work mostly for windows XP clients.

PS: You can try and enable NLA in Vista to see if that is causing the problem. (Allow connections only from computers running Remote Desktop with Network Level Authentication)

comment:7 Changed 5 years ago by Sasquatch

Please check this forum topic:  http://forums.virtualbox.org/viewtopic.php?f=6&t=18409 It discusses this issue, and if no password is given, it refuses the connection (on Linux Hosts). On Windows Hosts, especially XP (that's what I've tested it with), you get two errors (screens in the topic) and no credentials question. The RDP v6 client clearly states that it will ask for a username and password when the connection is made, but after the timeout period it simply refuses the connection. This means that the VRDP server never asks for the credentials, but only accepts them if they are supplied along with the connection request. All other connection attempts are denied.

comment:8 in reply to: ↑ 6 Changed 5 years ago by sunlover

avok00, please attach VBox.log with a successful connection from Vista RDP client and with a failed connection from XP SP3.

Replying to avok00:

New information: for Vista RDP client I managed to solve the problem the following way

comment:9 Changed 5 years ago by avok00

Windows XP SP3 RDP 6.1 NLA Windows XP SP3 RDP 6.1 NO_NLA Windows vista RDP 6.1 NLA Windows XP SP2 RDP 6.0 NO_NLA

all showed the same: credentials presaved - OK credentials fully supplied before login attempt - OK credentials not fully supplied before login attempt - strange failure message

Now it works from XP too, I don't know why, maybe it is a security issue from the too many failed attempts. Or maybe it is another bug. Maybe in some cases the VRDP TS server begins to instruct clients that they should offer the user first and that causes them always to fail. I had periods before that it worked and then it won't. Now it also works from Vista when the credentials are not hard saved as I mentioned before. I will report here if it stops working again.

Anyway, it is apparent that it does not matter what version of RDP client I use, if it somehow tries to connect without supplying full credentials including user name and pass, the problem appears. Maybe because it cannot show the windows login screen for you to enter the credentials there. What is absolutely sure is that it don't follow the RDP protocol correctly and that can cause all kinds of strange behaviour.

I will attach a log with failed attempt and with succesful attempt, both for vista RDP client

Changed 5 years ago by avok00

one failed and one successful attempt

comment:10 Changed 4 years ago by clacombe

I have the same issue. When I connect using save credentials it works, but if I connect without using save credentials, I have the two well known error frames. You will tell me, then to connect using save credential ! The issue is that my normal usecase, it to connect throw citrix that do not offer the possibility to save credential. So I'm stuck. Hope there will be soon a version that works without having to save credential ;) Thanks anyway for all your work...

comment:11 in reply to: ↑ description Changed 3 years ago by Jmancino2

I have found that external authentication fails if you do not have the RDP username/password saved before attempting to log on. If you want it to ask you for a password, you always get the "virtual memory" error. Using XP as the RDP host and Windows 7 as the Host for the VMs. Authentication works if you have the username/password saved.

Replying to avok00:

I could not get external auth to work

The user has all rights but he cannot login. no user can login with VRDP, always 'access denied'

I am attaching the log, you can see some other errors there in the external auth module.

Host Vista Business SP1. guest windows XP SP3, VirtualBox 3

comment:12 Changed 2 years ago by TommyNator84

Spent a few hours on this issue today.

Tried to connect using "External" authentication from a local Windows 7 client to Windows 7 client running VirtualBox 4.1.8 r75467. Set RDP port to 5000 for the VM in question.

RDP authentication set to "Null" and connecting using "COMPUTERNAME:5000" worked fine, but once I set it to "External", it was a no go.

First i tried to connect using "COMPUTERNAME:5000", but I just got the same two error messages as the others (error 5 out of memory etc.). This never worked.

Added the credentials to the Windows vault (Control Panel\User Accounts - Manage your network passwords) (and still using COMPUTERNAME). This still didn't work.

Then I tried adding the credentials to the Windows vault like above, but this time using "TERMSRV/IP:5000". It worked!

Now, the strange thing is that after this first successful login using IP:port, it suddenly works when using the computer name too! And it even works when I set it to "Always ask for credentials".

I guess that the credentials are now saved correctly somewhere...

It seems obvious that the RDP problem is somewhere in the Auth DLL used by VirtualBox.

Last edited 2 years ago by TommyNator84 (previous) (diff)

comment:13 Changed 12 months ago by brainx

I have the same issue. Host OS:Win7 VM OS:Ubuntu12.10 Virtualbox Version:4.2.10 r84104

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use