How to troubleshoot authentication and connectivity problems when you run Virtual Server 2005 in Windows XP Service Pack 2

This article describes some of the connectivity and authentication problems that you may experience when you run Microsoft Virtual Server 2005 on a Microsoft Windows XP-based computer that has been upgraded to Windows XP Service Pack 2 (SP2).

Microsoft does provide support for running Virtual Server on a Windows XP-based computer in a non-production, development, or test environment. The information in this article may provide assistance when you are evaluating Virtual Server on a Windows XP Professional SP2-based computer in one of these development or test environments.

The Windows Firewall feature in Windows XP Service Pack 2 (SP2) includes significant enhancements to help protect your computer from attack by malicious users or by malicious software such as viruses. Windows Firewall replaces the Internet Connection Firewall (ICF) feature that is included in earlier versions of Windows XP. By default, Windows Firewall is turned on for all network connections, including connections to the Internet. For additional information about Windows Firewall, click the following article number to view the article in the Microsoft Knowledge Base: Important When you open ports in your firewall, you increase the chance that other programs may gain access to your computer through those ports. Therefore, we recommend that you carefully consider your network security requirements before you open ports in your firewall. You may want to open a port only when you are using Virtual Server and close that port when you are not using Virtual Server.

After you install Virtual Server on a Windows XP SP2-based computer, you cannot remotely access Virtual Server or the Virtual Server Administration Web site.

You must use the correct account that has the correct DCOM permissions to remotely access Virtual Server and the Virtual Server Administration Web site.

If you use a domain account to access the Virtual Server Administration Web site, make sure that the domain account is a member of the local administrators group on the remote client.

Also, you must verify that the domain account that is being used to access Virtual Server is a member of the local administrators group on the Windows XP SP2-based computer that is running Virtual Server.

Alternatively, verify that the domain account is explicitly granted appropriate permissions in the Virtual Server security settings. To do this, follow these steps:

1. Log on to the Windows XP SP2-based computer that is running Virtual Server by using an account that has administrative permissions.
2. Click Start, point to Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Web site.
3. In the Navigation section on the Virtual Server Administration Web site, click Server Properties.
4. Under ComputerName Properties, click Virtual Server security.
   
   Note ComputerName should be the name of the Windows XP SP2-based computer that is running Virtual Server.
5. On the Virtual Server Properties page, you can modify the permissions by clicking the permissions that you want next to Permissions. You can also add new entries by clicking Add Entries.
6. In the Permission entry section, type the name of the user or of the group, select the permissions that you want, and then click OK to add a new permission entry.

You must also configure the default DCOM permissions to enable Local Activation permissions for user accounts that require access to the Virtual Server or to the Virtual Server Administration Web site. To do this, follow these steps:

1. Log on to the Windows XP SP2-based computer that is running Virtual Server by using an account that has administrative permissions.
2. Click Start, point to Control Panel, double-click Administrative Tools, and then double-click Component Services.
3. In the Component Services snap-in, expand Component Services, expand Computers, expand My Computer, expand DCOM Config, right-click Virtual Server, and then click Properties.
4. In the Virtual Server Properties dialog box, click Security.
5. Under Launch and Activation Permissions, click Customize, and then click Edit.
6. In the Launch Permission dialog box under Permissions for Authenticated Users, click to select the Allow check box for Local Activation. Then click OK two times.
7. Quit the Component Services snap-in.

Because the Windows XP SP 2 firewall prevents incoming Web connections, you may not be able to access the Virtual Server Administration Web site.

To access the Virtual Server Administration Web site, open Transmission Control Protocol (TCP) port 80 in the firewall for the Microsoft Internet Information Services (IIS) Web server. To do this, follow these steps:

1. Log on to the Windows XP SP2-based computer that is running Virtual Server by using an account that has administrative permissions.
2. Click Start, point to Control Panel, and then double-click Security Center.
3. In Windows Security Center, click Windows Firewall.
4. In the Windows Firewall dialog box, click the Exceptions tab, and then click Add Port.
5. In the Add a Port dialog box, type Web server in the Name box, type 80 in the Port number box, click TCP, click OK, and then click OK again.
6. Quit Windows Security Center.

The Windows XP SP 2 firewall prevents incoming Virtual Machine Remote Control client connections.

When a Virtual Machine Remote Control (VMRC) client tries to access the VMRC server, the client cannot connect to the server. To enable incoming VMRC client connections, open TCP port 5900. Port 5900 is the default port that the VMRC client uses to connect to the VMRC server. To open TCP port 5900, follow these steps:

1. Log on to the Windows XP SP2-based computer that is running Virtual Server by using an account that has administrative permissions.
2. Click Start, point to Control Panel, and then double-click Security Center.
3. In Windows Security Center, click Windows Firewall.
4. In the Windows Firewall dialog box, click the Exceptions tab, and then click Add Port.
5. In the Add a Port dialog box, type VMRC in the Name box, type 5900 in the Port number box, click TCP, click OK, and then click OK again.
6. Quit Windows Security Center.

Note You cannot use the Add Program option in the Windows Firewall dialog box and specify the Virtual Machine Remote Control Client program to let the VMRC client connect to the Windows XP SP2-based computer that is running Virtual Server. You must open port 5900 by using the steps that were mentioned earlier to enable incoming VMRC connections.

The Windows XP SP2 firewall blocks the Kerberos ticket-granting authority.

When the Kerberos ticket-granting authority is blocked, you may not be able to connect to Microsoft Windows Server 2003 domains or to Microsoft Windows 2000 domains that use the Kerberos protocol for authentication. In this scenario, you receive a "The page cannot be displayed" error message when you try to connect to one of these domains.

To enable access for the Kerberos ticket-granting authority, open TCP port 88 and User Datagram Protocol (UDP) port 88 in the Windows XP SP2 firewall. To do this, follow these steps:

1. Log on to the Windows XP SP2-based computer that is running Virtual Server by using an account that has administrative permissions.
2. Click Start, point to Control Panel, and then double-click Security Center.
3. In Windows Security Center, click Windows Firewall.
4. In the Windows Firewall dialog box, click the Exceptions tab, and then click Add Port.
5. In the Add a Port dialog box, type Kerberos in the Name box, type 88 in the Port number box, click TCP, and then click OK.
6. Click Add Port again, type Kerberos in the Name box, type 88 in the Port number box, click UDP, click OK, and then click OK again.
7. Quit Windows Security Center.