Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You cannot use Internet Explorer to connect to a Microsoft Virtual Server 2005 Administration Web site and then connect to another Virtual Server


View products that this article applies to.

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

↑ Back to the top


Symptoms

You use Microsoft Internet Explorer 6 or Windows Internet Explorer 7 to connect to a Microsoft Virtual Server (VS) 2005 Administration Web site. Then, you click Switch Virtual Server to connect to another Virtual Server that does not have constrained delegation enabled. However, you receive an error message that resembles the following:
Could not connect to the Virtual Server on <computer>. Access was denied.

↑ Back to the top


Cause

This problem occurs when the Prompt for user name and password security setting is enabled in Internet Explorer when you try to connect to the VS Administration Web site.

↑ Back to the top


Workaround

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To work around this problem, change the Internet Explorer security settings on the client computer. To do this, follow these steps:
  1. In Internet Explorer, click Tools, and then click Internet Options.
  2. On the Security tab, select the zone that the client computer uses to connect to the Virtual Server Administration Web site, and then click Custom level.
  3. In the Security Settings dialog box, scroll to the bottom of the Settings list.
  4. Under User Authentication, select Automatic logon only in Intranet zone, and then click OK.
  5. Click Yes in the Warning dialog box.
  6. Click OK, and then exit Internet Explorer.
  7. Open Internet Explorer, and then open the Virtual Server Administration Web site.
  8. Under the Navigation menu, point to Virtual Server Manager, and then click Switch Virtual Server.
  9. Enter the name or the IP address of a computer that is running Virtual Server, and then click Connect.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

When you connect to the VS Administration Web site, Internet Explorer passes the authentication credentials or the token to the VS service (vssrvc.exe). Then, the VS service impersonates the user. However, another level of impersonation is performed if Internet Explorer is configured to prompt for a username and for a password. Because two levels of impersonation are not possible unless you set up constrained delegation, access to the VS Web Application fails.

For more information about constrained delegation in Virtual Server 2005, visit the following Microsoft Web site:

↑ Back to the top


Keywords: KB935943, kbprb, kbtshoot, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 935943
Revision : 4
Created on : 11/2/2007
Published on : 11/2/2007
Exists online : False
Views : 388