Microsoft KB Archive/935943

= You cannot use Internet Explorer to connect to a Microsoft Virtual Server 2005 Administration Web site and then connect to another Virtual Server =

Article ID: 935943

Article Last Modified on 11/2/2007

-

APPLIES TO


 * Microsoft Virtual Server 2005 Standard Edition
 * Microsoft Internet Explorer 6.0
 * Windows Internet Explorer 7

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.



SYMPTOMS
You use Microsoft Internet Explorer 6 or Windows Internet Explorer 7 to connect to a Microsoft Virtual Server (VS) 2005 Administration Web site. Then, you click Switch Virtual Server to connect to another Virtual Server that does not have constrained delegation enabled. However, you receive an error message that resembles the following:

Could not connect to the Virtual Server on. Access was denied.



CAUSE
This problem occurs when the Prompt for user name and password security setting is enabled in Internet Explorer when you try to connect to the VS Administration Web site.



WORKAROUND
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

To work around this problem, change the Internet Explorer security settings on the client computer. To do this, follow these steps:
 * 1) In Internet Explorer, click Tools, and then click Internet Options.
 * 2) On the Security tab, select the zone that the client computer uses to connect to the Virtual Server Administration Web site, and then click Custom level.
 * 3) In the Security Settings dialog box, scroll to the bottom of the Settings list.
 * 4) Under User Authentication, select Automatic logon only in Intranet zone, and then click OK.
 * 5) Click Yes in the Warning dialog box.
 * 6) Click OK, and then exit Internet Explorer.
 * 7) Open Internet Explorer, and then open the Virtual Server Administration Web site.
 * 8) Under the Navigation menu, point to Virtual Server Manager, and then click Switch Virtual Server.
 * 9) Enter the name or the IP address of a computer that is running Virtual Server, and then click Connect.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
When you connect to the VS Administration Web site, Internet Explorer passes the authentication credentials or the token to the VS service (vssrvc.exe). Then, the VS service impersonates the user. However, another level of impersonation is performed if Internet Explorer is configured to prompt for a username and for a password. Because two levels of impersonation are not possible unless you set up constrained delegation, access to the VS Web Application fails.

For more information about constrained delegation in Virtual Server 2005, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/virtualserver/2005/proddocs/vs_deploy_delegation.mspx

Keywords: kbtshoot kbprb kbexpertiseinter KB935943

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.