Accessing Virtual Server via VMRC through a ISA firewall with Vista

The problem

We have had an insteresting problem, we have a Virtual Server 2007 R2 (Beta), this is accessed both internally on our company network and externally via a ISA 2006 on the Internet. This has been working fine with our XP PCs, but we saw problems when we tried to use Vista.

When on our LAN, the Vista PC was fine, you could connect to the Virtual Server console web page and VMRC to any VPC. We had set our domain *.blackmarble.co.uk as the local intranet in IE security so we were not prompted for for repeated logins.

If the Vista PC was a member of our domain then VMRC login failed outside the firewall, you were still prompted for the ISA login and got to the Virtual Server console but the VMRC failed with an authentication failure, the same happened if I used the VMRC.EXE. However, if the Vista PC was not a member of our domain it worked (and also remember XP worked whether a member of the domain for not).

The Solutions

I contacted Ben Armstrong (http://blogs.msdn.com/Virtual_PC_Guy/) to see if there were any known issues long this line, and there were not, but he made some interesting suggestions that in the end got us to the solution. 

If we temporarily removed *.blackmarble.co.uk from the Vista PCs IE local intranet group and it started to work both inside and outside the firewall, but we had to authenticate a good few times.

We then put the entry for *.blackmarble.co.uk from the Vista PCs IE local intranet group back, and as expected it started to fail again.

We then had a look on the Virtual Server Console, server properties, VMRC server properties. The authentication was set to automatic (the default), we changed this to NTLM. Once this was done the Vista PC could VMRC from inside and outside the firewall without issues.

So I think being a member of the domain was a red herring, it was the fact the PCs in our domain had the IE local intranet set was the key issue.

I am not sure of the route cause, especially as it seem to be Vista specific, it could be:

  1. A kerberos issue on our LAN
  2. Bug in Vista/IE authentication
  3. Bug in Virtual Server 2007R2 (we did try both the beta and RC)
  4. Bug in VMRC.EXE

Anyway at least we have a solution.