VMRCplus and authentication

VMRCplus has no support for alternate credentials. This means that in order to manage a Virtual Server remotely, both the machine with VMRCplus and the Virtual Server host must be in the same forest. You may wonder why VMRCplus does not support alternate credentials. Both the VMRC client and the Virtual Server Administration Website support this. Or do they only seem to support this?

The VMRC client is the standalone client which comes with Virtual Server. It is used to connect to the VMRC Server port, configured on the Virtual Server host. By default, the VMRC Server uses TCP port 5900.
When connecting using VMRC client, it connects using the single TCP port to the Virtual Server VMRC service. Authentication is built-in with the VMRC server; if authentication is required the server responds to the VMRC client with an authentication request which results in an authentication dialog to the user.
VMRCplus does not communicate using the VMRC port. This is sometimes misunderstood. VMRCplus only uses the VMRC port when opening remote control sessions in the Console Manager. That is where the VMRC port is being used.

The Virtual Server Administration Website (vswebapp.exe) is a web application hosted on Internet Information Services (IIS). In a default configuration, IIS is installed on the Virtual Server host and vswebapp.exe is installed on IIS. When connecting from a remote client using Internet Explorer (IE) you communicate with the web application (vswebapp.exe). If authentication is required, IE shows an authentication dialog which is the result of the web application os IIS. Basically you authenticate to IIS using alternate credentials if integrated logon fails. Important to understand that up to this point, Virtual Server has not been involved in authentication. Only after authentication has been performed, vswebapp.exe uses these credentials to 'connect' to Virtual Server. If that fails, it fails. So Virtual Server expects proper credentials and if not provided, access is denied.
Vswebappe.exe accesses Virtual Server using COM in this scenario because vswebapp.exe is local to the Virtual Server host. However the Virtual Server COM object has no support for alternate credentials.
VMRCplus can be compared in this scenario when installed locally on the Virtual Server host. If your current credentials are sufficient, you get access according to your privileges. If not, you simply get an access denied message ('... server does not exist or insufficient privileges...").

When VMRCplus is used in a remote scenario it uses DCOM to access Virtual Server. As mentioned before, Virtual Server does not support alternate credentials. Also in this scenario, your authentication is performed implicitly and only succeeds when both the VMRCplus machine and remote Virtual Server host are in the same forest.

An additional requirement exists in the remote scenario. Virtual Server runs with Local System identity. In the remote scenario this requires the VMRCplus user to be a member of the local Administrators group on the Virtual Server host. If this requirement is unacceptable for you, you must use VMRCplus locally on the Virtual Server host. You can offer the VMRCplus user RDP to the Virtual Server host and limit its privileges on the host. VMRCplus has been designed for RDP usage.