You receive a "You do not have sufficient access rights" error message when you try to store resource files on a remote computer in Virtual Server 2005 (884744)


The information in this article applies to:

  • Microsoft Virtual Server 2005

SYMPTOMS

In Microsoft Virtual Server 2005, when you try to add a search path to a file share on a remote computer, or when you try to create a new virtual machine, you may receive the following error message:
You do not have sufficient access rights.

CAUSE

This issue may occur if both the following conditions are true:
  • You run the Virtual Server service and the Virtual Server Administration Web site on one computer.
  • You host the Virtual Server 2005 virtual hard disk files (.vhd) and virtual machine configuration files (.vmc) on a remote share.
This issue may occur if you do not configure constrained delegation for this Virtual Server configuration. The "Configuring constrained delegation" topic in the Virtual Server Administrator's Guide contains the following information: The Administration Website and the Virtual Server service are installed on the same computer. In this case, to allow users to access files on a remote computer, you can install a software update. For information about getting the software update, see article 829011, "You Are Prompted for Your User Credentials When You Request a CGI Script," in the Microsoft Knowledge Base. Alternatively, you can enable Basic authentication for the Administration Website. By default, Virtual Server uses Integrated Windows authentication. This is the preferred method of authentication, and typically you should not make changes to this setting. Certain risks are involved with using Basic authentication. For more information about configuring authentication, see the documentation for Internet Information Services (IIS). This information may cause you to determine that you do not have to configure constrained delegation for your Virtual Server configuration. However, in this scenario, you must configure constrained delegation.

RESOLUTION

To resolve this issue, configure constrained delegation for your Virtual Server configuration.

Note These steps describe how to configure constrained delegation if the Virtual Server service and the Virtual Server Administration Web site is installed on the same computer. If you have a configuration where the Virtual Server service, the Virtual Server Administration Web site, and the virtual hard disk files are hosted on different computers, do not follow these steps to configure constrained delegation. Instead, follow the steps from the "Configuring constrained delegation" topic in the Virtual Server Administrator's Guide.

To configure constrained delegation for your Virtual Server environment, follow these steps:
  1. On a domain controller, start the Active Directory Users and Computers program. To do this, click Start, click Run, type dsa.msc, and then click OK.
  2. Locate, and then click the container that contains the computer that is running Virtual Server 2005. For example, locate, and then click the Computers container.
  3. Right-click the computer that is running Virtual Server 2005, and then click Properties.
  4. Click the Delegation tab.

    Note If the Delegation tab does not appear, raise the functional level of your domain to Windows Server 2003. Constrained delegation is the trust of a computer for delegation of specified services. This kind of delegation can only be enabled for a computer in a Windows Server 2003 domain. To raise the functional level of your domain to Windows Server 2003, follow these steps:
    1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
    2. Right-click your domain, and then click Raise Domain Functional Level.
    3. In the Select an available domain functional level list, click Windows Server 2003, and then click Raise.
    4. On the following message that appears, click OK:This change affects the entire domain. After you raise the domain functional level, it cannot be reversed.
  5. On the Delegation tab, click Trust this computer for delegation to specified services only.
  6. Click Use any authentication protocol, click Add, and then click Users or Computers.
  7. In the Enter the object names to select box, type the name of the computer where the Virtual Server resource files are located. For example, type the name of the computer that contains the share where your Virtual Server virtual hard disk files and virtual machine configuration files are located.
  8. Click Check Names, and then click OK.
  9. In the Available services list, click cifs, and then click OK two times.
  10. Allow sufficient time for these changes to propagate throughout your domain. Sometimes, you may have to wait 10 to 15 minutes or longer for these changes to take effect.
  11. If the affected physical servers are running Service Pack 1 for Windows Server 2003, add the Domain Group(s) or Domain User(s) that will be accessing the Virtual server Administration Web site to the Distributed Com Users local group on each physical server.
Note By default, share permissions in Windows Server 2003 are read-only. Depending on where you store your Virtual Server 2005 resource files, you may have to modify the share permissions or the NTFS file system permissions. In this scenario, the users or groups that you let access these resources require Change permissions to the Virtual Server 2005 resource files.

MORE INFORMATION

To view the Virtual Server Administrator's Guide, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administrator's Guide.

For additional information about Virtual Server 2005, visit the following Microsoft Web site:

Microsoft Virtual Server 2005

Modification Type:MajorLast Reviewed:5/24/2006
Keywords:kbtshoot kbprb KB884744 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.