Self-service users can't open a console session to a virtual machine
This article helps you fix an issue in which Virtual Machine Manager (VMM) self-service users can't connect to a console session of a virtual machine running Windows Server 2012.
Original product version: Microsoft System Center 2012 R2 Virtual Machine Manager, System Center 2012 Virtual Machine Manager
Original KB number: 2986796
Symptoms
When you try to connect to the console session of a virtual machine (VM) that's running in Windows Server 2012 by using Microsoft System Center 2012 R2 Virtual Machine Manager or Microsoft System Center 2012 Virtual Machine Manager Service Pack 1 (SP1), the connection fails, and you receive the following error message:
Virtual Machine Manager lost the connection to the virtual machine for one of the following reasons.
Another connection was established to the console of this machine
The virtual machine has been shut down or put into the saved state
The user credentials provided do not have the necessary privilege to connect(0x0003, 0x0000)
Cause
This problem occurs because connection access to Windows Server 2012 hosts is controlled through a new method that uses the Grant-VMConnectAccess
command. In some cases, invalid user accounts in the member list for the Virtual Machine Manager user role can prevent the list from being populated.
If the failure persists after you verify the potential reasons that are stated in the error message, the failure might, instead, occur because members of the Administrator or Self-Service user roles have unresolvable domain accounts, as represented by security identifiers (SIDs).
Resolution
To resolve this problem, follow these steps:
- Open the VMM console.
- In the Settings workspace, select Security, and then select User Roles.
- Select the Administrator user role.
- On the ribbon bar, select Properties on the Home tab.
- In the Administrator Properties dialog box, select Members.
- Browse through the list of users. Remove any users that don't resolve to a domain account and that show only a SID.
- Repeat steps 3 through 6 for any additional user roles.
- After the SIDs are removed from each user role, an update to the
VMConnectAccess
permissions has to be pushed out by VMM. To trigger this event, change the access for a virtual machine. To do it, follow these steps:- Select a virtual machine, and then select Properties.
- In the Properties dialog box, select the Access tab.
- In the Self-Service Owner field, enter a different user account, and then select OK.
- Verify that the job completed successfully.
- Revert access to the original user account.
- Verify that the self-service user can now open a console session to their virtual machine.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for