I’m a huge fan of Windows Home Server.  I love the easy-to-set-up image- and file-based backup system, and I love the ability to just slap in another 2TB drive if I start getting low on space.  In addition to music, movies, photos, and personal documents, I keep all the software install packages and ISOs I’ve downloaded on my server.  Further, with the user account synchronization built into WHS, I’ve been able to simplify my home network and no longer maintain any (permanent) Active Directory domains.

This setup has worked pretty well up to now.  In VMWare Workstation, when I want to build a new VM, I just mount the appropriate OS .ISO from \serverSoftware and boot to the DVD.  Hyper-V, though, doesn’t like to mount ISOs over the network.  On a fresh Hyper-V R2 install, when I tried to mount a Win7 iso for a new guest, I was greeted with the following error:

The server encountered an error while configuring devices on testvm.  Failed to add device 'Microsoft Virtual CD/DVD Disk'.  The Machine Account 'Hyper-V Virtual Machine Management service' does not have read access to file share '\serversoft...en_windows_7_ultimate_x64_dvd_x15-65922.iso'.

In an Active Directory environment, there is a documented solution for this; when one is also managing the Hyper-V host remotely, additional configuration is required that involves constrained delegation.

In an environment without Active Directory (like my home network), or when the machines in question are in domains that don’t talk with each other, we need something else.  One option is to enable anonymous access to the share where the ISOs are stored.  This solution is fine for my home network, and may be feasible for other small networks where security isn’t as much of an issue.  While the instructions below are for Windows Home Server specifically, they are easily adapted to a bog-standard (non-WHS) file server.

  1. First, go to Administrative Tools->Local Security Policy.

    In Security Settings/Local Policies/Security Options, make the following changes:

    Network Access: Do not allow anonymous enumeration of SAM accounts and sharesDisabled
    Network Access: Let Everyone permissions apply to anonymous usersEnabled
    Network Access: Restrict anonymous access to Named Pipes and SharesDisabled
    Network Access: Shares that can be accessed anonymously – Add SOFTWARE (or the appropriate share) to the existing list

    In Security Settings/Local Policies/User Rights Assignment:

    Access this computer from a network – Add ANONYMOUS LOGON and Everyone if they’re not already there

  2. After closing the Local Security Settings window you’ll need to reboot the server or force application of security policy via gpupdate.
  3. Then, open up Computer Management and go to System Tools->Local Users and Groups->Groups.
    Windows Home Server creates several security groups that provide read-only and read/write access to the shares it manages.  Find which group offers Read-Only access to the share and add Everyone to this group.  On my computer, the Software share is managed by RO_8 and RW_8, so I added Everyone to the RO_8 group.
  4. While you’re in Computer Management, go to System Tools->Shared Folders->Shares.  In the properties for the appropriate share, add Everyone to the Share Permissions.

After following these steps, I was able to mount ISOs from the share successfully in the Hyper-V Manager.

Unfortunately, this solution has a caveat beyond just the security implications.  Windows Home Server likes you to manage everything through its interface.  If you’ve made changes out of band, WHS is happy to ‘fix’ them for you.  After every reboot, WHS removes the Everyone token from both the security group and from the share permissions.  This means that every time I reboot, I have to perform steps 3 and 4 again. This is frustrating enough that I’ve considered writing a script for this, but I reboot the server so rarely that I haven’t bothered.