homerjnick
Enthusiast
Enthusiast

RDP VDM Agent - Access is Denied

I have setup 2 pools of VM's, each consisting of 4 VM's for testing.

I have installed the VDM Agent but when I go to simply RDP onto my VM's the RDP screen comes up and then a box with a red cross saying "VMware VDM Agent - Access is Denied".

So before I get to enter credentials into RDP I get this error. There is no firewall turned on in the VM's and this is before I even use the VDM Windows Client to test logging onto my pool, I am usign RDP straight from my own Windows laptop.

What causes the VDM Agent to say access is denied even before I get to enter my credentials doing a normal RDP to a VM?

0 Kudos
18 Replies
mpryor
Commander
Commander

By default the VDM 2.1 agent will block non-VDM RDP connections, this was a request from customers after 2.0 was released. It can be disabled by group policy or registry setting on the agent VMs - the group policy file is included in the VDM connection server install under the ADM subfolder.

0 Kudos
homerjnick
Enthusiast
Enthusiast

Hmmmmmmmm I'm not sure on that.

I have found that DNS was not quite right so I changed that and one of my VM's I can now RDP....

0 Kudos
mittim12
Immortal
Immortal

Can you go into more detail when you say the DNS wasn't quite right? I just installed VDM 2.1 and found that I too received the access denied message when trying to use straight RDP to access the VM's. I used the GP template that referenced and was able to change this behavior on my test machines without any issues. Are you using 2.1 or 2.0?

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points

0 Kudos
homerjnick
Enthusiast
Enthusiast

I had previously tried a few weeks ago VDM with a pool of VM's and I reused the names but not the IP's therefore my DNS had the host names pointing to the wrong addresses.

After I cleaned up that all my VM's now work fine although I have not applied the GPO thing for allowing normal RDP to my pool of VM's but RDP outwith VDM works fine, and VDM works fine as well.

0 Kudos
Topstep1
Enthusiast
Enthusiast

Any idea what that reg key is on the agent machine?

0 Kudos
mittim12
Immortal
Immortal

The GPO should only going to apply if you are using the VDM 2.1 agent.

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points

0 Kudos
mittim12
Immortal
Immortal

I think this is the key in question

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Agent\Configuration

"AllowDirectRDP"="true"

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points

Topstep1
Enthusiast
Enthusiast

Thank you, mittim12.[~122286]

0 Kudos
kimono
Expert
Expert

When does this policy get enabled? I've had it occur on 1 out of 3 VDI images ... with VDM 2.1...

/kimono/

/kimono/
0 Kudos
mittim12
Immortal
Immortal

When does this policy get enabled? I've had it occur on 1 out of 3 VDI images ... with VDM 2.1...

/kimono/

It is supposed to be the default behavior for the VDM 2.1 agent.

If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

0 Kudos
TomHowarth
Leadership
Leadership

one posibility is the agent has been upgraded from 2.0 to 2.1 hence the reason the Reg key is not there.

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
kimono
Expert
Expert

Strange cause I have a very old workstation XP VM that was converted to ESX, then installed VDM 2.1 agent on it, which is allowing RDP and VDM connections. Another XP VM, clean install with VDM 2.1 , doesn't allow RDP and doesn't have that policies\VMWare Inc subkey. I found the only way to allow RDP add the value to this location:

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Agent\Configuration

I didn't test it with the POLICIES\ key mentioned before... is that a mistake?

/kimono/

/kimono/
0 Kudos
TomHowarth
Leadership
Leadership

that is strange and worrying. I would expect that the install routine would have repeatable behaviour, did you use the same build of agent on all occasions

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
mpryor
Commander
Commander

You should see with the VDM 2.1 agent that the default setting is to block non-VDM RDP connections when the SSO component is installed - this componenet handles broker authentication to the agent and hence is also repsonsible for blocking direct connections. Both registry locations are correct (with/without policies), the policies version is generated by the group policy file included with the server installation and overrides the normal software registry entry. I hope that clarifies things.

Mike

0 Kudos
CFPUA
Contributor
Contributor

I'm having the same problem. Since the key didn't exist on my vm, I created it, seeing from this guy's blog: here

Still didn't work.

0 Kudos
admin
Immortal
Immortal

What do you want to do? Block the non-VDM connections of allow them?

Regards,

Christoph

Don't forget to award the points if this answer was helpful for you.

Blog:

http://communities.vmware.com/blogs/dommermuth |

0 Kudos
CFPUA
Contributor
Contributor

Allow - I got it - I was adding a registry key instead of a string.

Thanks!

Jude Eden

0 Kudos
admin
Immortal
Immortal

I've asked because the default was changed once. First it blocked by default then default was allow... If I remember correctly it was in View 3.0 or so...

0 Kudos