VMware Communities
LT012345
Contributor
Contributor
‎02-08-2008 05:56 PM

Pass Windows logon credentials from host to guest OS

VMWare product: Workstation 6.0

Host OS: XP 32-bit

Guest OS: XP 32-bit

Networking: NAT

-

Hi,

I'm logged on to the company's network on the host. For the guest OS, I logged on using a local admin account. From the guest OS, I can access the company intranet via IE without any problems. If I tried to access network resources (e.g. SQL Server 2005 using windows auth) from the guest OS that requires my windows logon credentials, this would create a problem because the guest would automatically passed the local logon credentials.

My question is: how to I passed my Windows logon credentials from my host OS to my guest OS?

Thanks in advance for your help.

0 Kudos
13 Replies
KevinG
Immortal
Immortal
‎02-08-2008 06:09 PM

I not sure that I understand what you are trying to do

Please think of the host and guest as two seperate PC's.

I believe what you are trying to accomplish would not possible with two physical machine and it would be the same with the host & guest.

0 Kudos
magic-man
Hot Shot
Hot Shot
‎02-08-2008 06:27 PM

The way I do it is as follows:

The host and all VMs are XP pro. I set the same username and password in the host and the VM (and use bridged mode).

In the host, I login locally (not to the domain, just to a workgroup (VMHOME)). In the VM I log into the domain. I use tweakui to autolog the host in.

The up side is that if the host and VMs all have the same user ID and password, you can share things easier and the net administrator only has access to my stuff in the VM. I can still do things on the domain in the host and VM.

The main down side is that you have to keep the passwords in sync when the domain admin decides it is time to change your passwords (every month here). Not a big thing and only takes a few minutes to change in all my VMs. Perhaps some day I won't be so lazy and write a script Smiley Wink

0 Kudos
magic-man
Hot Shot
Hot Shot
‎02-08-2008 06:34 PM

Also, if you are talking about using SQL server queries in a VM with an unknown user, I do it in Visual basic and/or Access. Your domain op can either set up an account (read only, please) in SQL server for you to use or you can embed yours 9not recommended) in the code. If you use the first one, you can create a DSN to the data.

0 Kudos
LT012345
Contributor
Contributor
‎02-09-2008 03:27 AM

OK, I'll try to do a better job of describing my problem.

Let's say I work at IBM (I don't). I came in to work on logged in to my work PC using my NT credentials: domain\username = NorthEast\JohnSmith. Then I fired up my VM, which I built myself. Keep in mind the IBM domain admin folks have no knowledge of my VM and doesn't exactly sanction it. Yes, I'm not the only person at work who installed "non-IT approved software" on my work PC. So I logged in to my VM (I set the compute name to "VM1") using the VM's local credentials: username = Administrator. I'm in my VM, I fired up IE and accessed the IBM intranet website just fine. I can also access extermal websites (e.g., google.com).

Then I fired up Sql Server Managment Studio (still in my VM) to log in to a Sql Server instance within IBM's internal network. Sql Server Managment Studio allows me to pass my logged on NT credentials to the Sql Server instance for authentication. However, since I'm in my VM, the logged credentials that will be passed will be "VM1\Adminstrator" and not "NorthEast\JohnSmith". Hence, I can not log in to the IBM intranet Sql Server instance from within my VM. I'm only using Sql Server as an example. Ohter apps use the same "NT authentication" method.

So my question is: how do I set up my VM so that my host's NT credentials pass through to my VM.

0 Kudos
magic-man
Hot Shot
Hot Shot
‎02-09-2008 09:06 PM

I do it all day long and my IT guy is none the wiser.

Way 1: Rename the host machine to a different name. Rename the VM to the

name the host had before. You will not be logging into the domain in the

host, just in the VM. Treat the VM NO DIFFERENT than a normal stand alone

PC... How would you do it if you had another computer sitting next to you?

Way 2: log into the domain in both the VM and host. Depends if your IT dept

allows multiple logons or not. Mine does... I can be logged in up to 100

machines at any one time.

Bill Smiley Happy

LT012345
Contributor
Contributor
‎02-22-2008 12:06 AM

Bill,

Way 1 is not really an option for me because I do most of my work in the host and only occasionally use the guest when the need arises (testing my apps, for example).

Way 2 - I'm not sure how to do this as far as logging into the domain on the guest. In the process of building the guest, did you have to join the domain during setup? Does this require IT help since only the domain admins have the required security rights to allow a Windows box to join a domain? I'm stabbing in the dark here since I don't really know how domains are set up?

Help?

0 Kudos
TXuser
Enthusiast
Enthusiast
‎02-24-2008 12:10 PM

The quickest and easiest way is to talk to your manger and IT staff about the benefits of using Worstation and adding the guest(s) to the domain. If you have multiple logins, you're good to go.

As for the renaming the host and guest, it would probably not work on a domain. I haven't tried the renaming scheme, but from experience, this is what we encountered. We have several users that have to track down certain individuals, meaning the sites are questionable and you would never know what gets infected on their computers. We started using the Acronis True Image with the Acronis Secure Zone feature, which stores the HD image in a hidden partition on the drive. We had backed it up while the computer was in the domain. After several weeks and performing a restoral, you could not login to the domain under any account. After removing the computer from the domain and re-adding it, everything was fine. Rebuilt the image in the Secure Zone after it had been removed from the domain again. After future restorals, just re-add it to the domain and you're good to go. Yes, we had McAfee Enterprise versions installed and that would not stop a lot of the infections. Prior to the backup, all the users data had already been redirected to a seperate data partition and/or network shares. Since then, we have added another layer of protection that stops a user from installing any software or getting infected by clicking on the wrong items while on the Internet. We haven't had to clean a computer from any virus, malware or drive by infections, going on two years now.

You will get alot further, in being honest with your IT staff. We have made exceptions, on a case by case basis, if their claims or needs are valid. We have also locked down certain users for not following or trying to go around certain procedures.

Good Luck,

LT012345
Contributor
Contributor
‎02-25-2008 05:25 PM

Thanks, I've always suspected my solution would involve adding the guest to the domain and/or having IT create the guest image, but I'm not in that line of work (networking, infrastructure, etc.) so I don't know for sure. I'm a software developer so I use Workstation mainly to test my own apps and to evaluate commercial apps.

I just assumed Workstation was not IT approved software though I don't know for sure. From past experiences, it just seems like going to IT would be a huge colossal hassle for this kind of thing, especially if you work in a non-IT or non-High Tech company, so I tried the DIY way.

Well, maybe I can dig around and see if IT has a policy on this.

0 Kudos
magic-man
Hot Shot
Hot Shot
‎02-26-2008 10:37 AM

Their policy SHOULD be the same as if you had placed another physical

machine in your office. To the domain, there is no difference between the

virtual machine and a real machine. Personally, I would use bridged

networking in the VM so they can assign the VM an IP address.

0 Kudos
Peter_vm
Immortal
Immortal
‎02-26-2008 11:31 AM

...Unless their network security already tightened physical network port usage policy, and allow only one MAC at a time.

0 Kudos
TXuser
Enthusiast
Enthusiast
‎02-27-2008 06:18 PM

LT012345,

How does your host computer connect to the domain now? I am assuning your host is in their domain now. Is it your computer or their's?

Let me tell you the steps we would take if you would come to us. This is assuming you are an outside contractor for our company. If you you were using a company computer, you would not be able to install WS 6 or any other software without IT's permission and assistance. All installations are blocked, period. We use LAA's to track who is assigned what IP address.. We do have DHCP addresses setup for outside laptops to connect on a limited basis during meetings and conferences. We watch this pool closely and will block them if they are the network for more than two days.

If you're request is valid, which for the testing, I understand your wanting to use WS 6. We would do the installation of WS 6 for you. Now you want to copy your guest, since it is preloaded with your required software and tools. Before we would add it to the domain, we may need to install some software that is required to be on the domain. At the same time you may be required to remove some software that would not be allowed. The quest would follow the same rules as any other computer.on the domain, this includes your host computer, even if it is yours. A LAA would be assigned and then the guest would be added to the domain. Note: At that time, you would no longer be allowed to install any software in the guest, even if you have administrative rights. All installtions would be blocked. If approved, IT would install any software from that point. Your login would automatically expire at the end of your contract. When running other guests, they would show up in the DHCP pool and would be blocked accordingly.

Our OU has six servers and over four hundred computers and currently utilize ten images to cover the different divisions. The initial testing of converting the images to VM's have been successful when deploying to a physical machine. We have more testing to do in this area. WS 6 is great and only limited by your imagination. We have disabled all the NAT features and use the bridged mode to allow the guests on the domain for updating the programs and OS though a WSUS server.

I know this is more than you wanted to know. But remember, IT is your friend, if your request is valid.

TXuser

0 Kudos
LT012345
Contributor
Contributor
‎02-27-2008 08:33 PM

Thanks for the post. That certainly provided some insights for me about the "other side" of this setup process.

0 Kudos
rsharma
Contributor
Contributor
‎02-28-2008 07:08 AM

Hi LT012345,

I have the similar situation like yours. Were you able to find any kind of script which will let you pass windows logon credentials from host to guest? Please let me know if there is such scripts exist?

Thanks,

0 Kudos