Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Problems w/ UltraVNC and Win 2K8 Server

Post Reply
Shadow Lord
8
8
Posts: 20
Joined: 2012-07-08 03:05

Problems w/ UltraVNC and Win 2K8 Server

Post by Shadow Lord »

Hello All,

I just finished building a new server and as part of the finishing touches I was trying to install the latest build of UltraVNC (stable). Two issues presented themselves:

1. this is an old issue (for me at least) which spans across versions and OSes. What I would like to do is to add a group (e.g. Administrators) to the MS-Logon and be able to logon to the UVNC server using any member of that group. However, I can't get this to work. I have both MS-Logon and MS-Logon II checked off. I click the configure button and add the group successfully. However, when I try to connect using any of the members in the group, EXCEPT for the built in Administrator account" I get "an authentication rejected error". This occurs with VNC servers running on Vista, Windows 7, Windows 2003 and Windows 2008R2. However, if I add the member directly instead of the group (for example User1) then I have no problem logging in. It is a bit of an annoyance but not major as I can get around it. However, I would like to get it working if possible.

2. I can not get the mirror hook driver to install on Win2k8 R2 x64. To be exact the driver installs and is seen in the device manager but it has an exclamation mark on it. In details Windows reports that the driver is unsigned yada yada. If I try to check for the driver using properties (in WinVNC right click menu) it tells me the driver is not found and maybe I should reboot. I have of course rebooted multiple times. Any workarounds for this? The performance is pretty dismal even on my local LAN.

Thanks for any help.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Problems w/ UltraVNC and Win 2K8 Server

Post by Rudi De Vos »

2;
addons had the wrong driver
files are reuploaded.

1. Part of code wasn't made by me and complex.
Gonna take time to findout what is going on.
Shadow Lord
8
8
Posts: 20
Joined: 2012-07-08 03:05

Re: Problems w/ UltraVNC and Win 2K8 Server

Post by Shadow Lord »

Rudi De Vos wrote:2;
addons had the wrong driver
files are reuploaded.

1. Part of code wasn't made by me and complex.
Gonna take time to findout what is going on.

Thanks for the quick reply. I dled the add-ons yesterday so I assume the corrected ones went up today? I will re-dl and re-install. Let me know if you need me to do any testing/provide log files on the log-on issue. I have tried multiple ways of getting around it and the only way I can successfully make it work is to add a user directly in the MS-Logon add box. Thank you.

EDIT: Just a thought but I know (and I am by no means an expert on this) that a member of the Administrators group does not get a full administrator token (at least on 2K8 R2). This also causes issues on shares. For example if I shared drive "1" which is a non-boot drive then the built in Administrator account can read/write to the root directory. User1 (a member of Administrators) can read/write (after answering the UAC prompt) when logged in locally, but the same account will be denied access to the root when accessing the share. Scouring the net it seems as if there is a different token issues to User1 which is not a full administrator token. Could this be part of the issue? Thanks.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Problems w/ UltraVNC and Win 2K8 Server

Post by Rudi De Vos »

It was reuploaded a 30 minutes ago.

When i'm correct, the mslogonII put a acl on a registry key and later it check if the key can be red.
Using mslogon I it just check if a user belong to a group ( it doesn't make use of acl, it's a simple check), possible
you have more luck with this option. Create a special group uvnc_access. add a user to this group. and tell vnc (mslogon I) that this group
has access.
Shadow Lord
8
8
Posts: 20
Joined: 2012-07-08 03:05

Re: Problems w/ UltraVNC and Win 2K8 Server

Post by Shadow Lord »

Rudi De Vos wrote:It was reuploaded a 30 minutes ago.

When i'm correct, the mslogonII put a acl on a registry key and later it check if the key can be red.
Using mslogon I it just check if a user belong to a group ( it doesn't make use of acl, it's a simple check), possible
you have more luck with this option. Create a special group uvnc_access. add a user to this group. and tell vnc (mslogon I) that this group
has access.
1. Driver issue fixed - thanks!

2. Using MSLogon I has its own issues. When I log in I get the following error: "Server closed Connection - The server running as application". I rebooted the system just in case with the same results. I also tried it out w/ a different user names and still had the same issue.
Shadow Lord
8
8
Posts: 20
Joined: 2012-07-08 03:05

Re: Problems w/ UltraVNC and Win 2K8 Server

Post by Shadow Lord »

Okay, I fixed it. Sort of I cheated a bit...

So as I suspected this is a filtered token problem which applies to Vista, 7, 8, and Win 2K8 R2 (maybe even Win2K8 and probably Win2K12). You can read up on the whole filtered token policy on the net. Interestingly enough the same issue causes problems with remote access to shares. Here is a quick fix:
UAC is set up to not allow access to default shares remotely. To enable, create the LocalAccountTokenFilterPolicy DWORD value at this key in the registry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\

0 - build filtered token (Remote UAC enabled)
1 - build elevated token (Remote UAC disabled)

By setting the DWORD entry to 1, you will be able to access the administrative shares since the remote logon token will not be filtered.

This is discussed in this KB article, http://support.microsoft.com/kb/947232. (It's for Vista but it applies to Windows Server 2008 R2)
Once you apply this registry change ALL members of the administrators group will no longer get the filtered token. This not only fixes the shares issue but also the logon problems w/ MSLOGON II in UNVC. This of course reduces security a bit so use at your own peril. Or you can directly add a user to the list in MSLOGON II and not worry about it. Hope this helps others with the same issue.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Problems w/ UltraVNC and Win 2K8 Server

Post by Rudi De Vos »

Thanks for this feedback
Post Reply