OakLeaf Systems: Problems Connecting to Windows 8 VMs Isn’t Related to Developer Previews; Windows 2008 R2 SP1 Is at Fault

Monday, September 26, 2011

Problems Connecting to Windows 8 VMs Isn’t Related to Developer Previews; Windows 2008 R2 SP1 Is at Fault

Update 9/26/2011: Minor edits and clarifications. See Note near the end of this post.

I reported inability to connect to VMs created by Windows 2008 R2 SP1’s Hyper-V subsequent to a Windows Update of 9/23/2011 in my Unable to Connect to Windows 8 Client or Server Virtualized with Windows 2008 R2 Hyper-V post of 9/24/2011, updated 9/24 and 9/25. All machines are members of the oakleaf.org domain managed by a domain controller running Windows 2003 Server R2 Enterprise Edition with SP2.

The problem isn’t related to the Windows Developer Preview OSes. It’s an issue with how Windows 2008 Server R2’s Hyper-V hypervisor started handling default user credentials after a Windows Update of 9/23/2011.

The workaround is to edit the machine’s Local Computer Policy/Computer Configuration/Administrative Templates/System/Credentials Delegation template with GpEdit.msc to:

Allow Delegating Default Credentials with NTLM-only Server Authentication
Allow Delegating Default Credentials
Allow Delegating Saved Credentials
Allow Delegating Saved Credentials with NTLM-only Server Authentication

For details, see the “Workaround” section near the end of this post.

Background

The problem started with a Windows Security Update for MS11-071: Vulnerability in Windows Components could allow remote code execution: September 13, 2011 (KB2570947), which Windows Update installed on 9/23/2011. Removing the update from the host OS didn’t solve the problem.

I discovered today that the problem also occurs with VMs I created previously and new VMs I created today. I can connect with the Remote Desktop Protocol from other Windows 7 Pro machines in the oakleaf.org domain to the host OS (OL-VIRTSERVER5) and one of two VMs I created several months ago (Win7ProVM1-RTM).

After providing credentials for the first connection and saving the Default.rdp file, subsequent connections don’t require providing credentials in the same dialog used by the Hyper-V host OS:

Attempting to connect to a Windows Server 2008 R2 VM:

Generates this error:

The Server2008R2VM4 VM is turned on and available from the network, as demonstrated by a share of its C:\ folder:

The Remote Desktops MMC tool in the host OS enables connecting to Win7ProVM1-RTM VM:

It’s surprising that RDP to this VM works from the host OS’s MMC tool but not from its Virtual Machine Manager.

Attempts to connect to Server2008R2VM4 fail with the following message:

Searches for the “Your Credentials Did Not Work” message return lots of hits, but most relate to scenarios with virtual hosts in a workgroup and clients connecting from a domain (e.g., Neolisk’s Tech Blog’s undated Virtualization - Cannot Connect To Server Using Hyper-V Manager post.) In my scenario, all my host OSes and virtual machines were members of the oakleaf.org domain when the problem occurred.

Note added 9/26/2011 7:30 AM: Unlike earlier Windows client and server setup operations, you cannot join an AD domain during Windows 8’s setup process. Until joining a domain, Windows 8 VMs are in the default WORKGROUP.

Workaround

To make sure I covered all bets, I ran GpEdit.msc on the host OS and, per Neolisk, performed the following recommended operations:

Navigate: Start / Run / gpedit.msc / Computer Configuration / Administrative Templates / System / Credentials Delegation, and make sure you have the following four options enabled and configured: