The Self-Service Portal is a web application provided as part of the System Center Virtual Machine Manager, and allows “non admin” users to be able to work with specific VMs, and possibly even have the right to deploy new ones.
Being a web application, the interface is accessed via a browser – the opening page prompts for user credentials in order to be able to display the VMs for which the user is an owner (or owned by a group of which the user is a member).
One of the features available through this interface is “Connect to VM”, which uses the RDP single port listener to have the client connect with the Hyper-V host (over TCP port 2179 by default) and request a connection to the console of the specified VM.
Here’s a possible gotcha – the logon page for the SSP has a radio button control to dictate whether or not to “store my credentials” and what this controls is which credentials are used after authenticating.
“Do not store my credentials” (default) = Use the credentials of the user logged onto Windows
“Store my credentials” = Use the credentials provided on this logon page
For the most part this won’t cause any problem, as many people log onto Windows with the same user account which they will use for the SSP so the credentials are the same regardless of the source.
However, if the user logged onto Windows is another domain user who is not configured in any Self-Service User role in SCVMM then we get into a weird state – authentication will be successful, but authorization (AzMan) will fail.
As authentication is not failing, there is nothing to kick in the Credential Manager to prompt for alternative credentials and the connection is retried after it did not succeed… resulting in the following error message being displayed:
Virtual Machine Manager lost the connection to the virtual machine because another connection was established to this machine.
The error message is a bit misleading, but it is due to the Windows user credentials not having any AzMan entries in HyperVAuthStore.xml on the Hyper-V host.
The solution is simple – check the radio button “Store my credentials” when authenticating to the SSP.
If a local user account is logged onto Windows and “Do not store my credentials” is select then the error is not displayed but instead the Credentials Manager will pop up asking for credentials to use, as local accounts cannot be used across the network – entering the credentials of any Self-Service User account with the correct privilege will work here.
The error message can also be displayed if there is an active console connection and the VM is shut down or put into the saved state, as well as the genuine case of another connection being established with the VM’s console from Hyper-V Manager, the SCVMM Administrator Console or another SSP user.