Configuring Constrained Delegation with Kerberos in Windows Server Hyper-V With PowerShell #HyperV

2 Min. Read

Microsoft recently announced a configuration change for the constrained delegation with Kerberos in Windows Server 2016 Hyper-V (Live Migration).

You can read about this announcement here.

In short, constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop” to get up to speed.

A common example of constrained delegation is the Hyper-V Live Migration when you initiate a move from your management desktop from one Hyper-V host to another.

Many users including myself, when attempting to migrate a virtual machine using a remote management machine or PowerShell, we encountered the following irritating error message:

[No credentials are available in the security package (0x8009030E)]


In Windows Server 2016, Microsoft shifted from using the Hyper-V WMI Provider v1 over DCOM to the Hyper-V WMI Provider v2 over WinRM in order to unify Hyper-V remoting with other Windows remoting tools such (PowerShell Remoting), and this cause the live migration to fail with constrained delegation “Use Kerberos only”.

The fix is easy and the best approach that Microsoft found to resolve this issue is a configuration change in Active Directory as documented by John in the article.

However, I came across another challenge when I need to apply this change to several Hyper-V 2016 hosts in my environment because I need to change the settings manually in Active Directory under the Delegation tab in the account properties for each Hyper-V host.

It’s a complete breeze to configure the same settings using the Active Directory module for Windows PowerShell!

To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:

# Kerberos delegation to configure Live-Migration in Kerberos mode for Windows Server 2016 Hyper-V
Import-Module ActiveDirectory
# Variables
$HVHost01 = "HV01"
$HVHost02 = "HV02"
$HVHost03 = "HV03"
$HVHost04 = "HV04"

# Delegate Microsoft Virtual System Migration Service and CIFS for every other possible Live Migration host
$HV01Spns = @("Microsoft Virtual System Migration Service/$HVHost01", "cifs/$HVHost01")
$HV02Spns = @("Microsoft Virtual System Migration Service/$HVHost02", "cifs/$HVHost02")
$HV03Spns = @("Microsoft Virtual System Migration Service/$HVHost03", "cifs/$HVHost03")
$HV04Spns = @("Microsoft Virtual System Migration Service/$HVHost04", "cifs/$HVHost04")

$delegationProperty = "msDS-AllowedToDelegateTo"
$delegateToSpns = $HV01Spns + $HV02Spns + $HV03Spns + $HV04Spns

# Configure Kerberos to (Use any authentication protocol)
$HV01Account = Get-ADComputer $HVHost01
$HV01Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV01Account -TrustedToAuthForDelegation $true

$HV02Account = Get-ADComputer $HVHost02
$HV02Account| Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV02Account -TrustedToAuthForDelegation $true

$HV03Account = Get-ADComputer $HVHost03
$HV03Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV03Account -TrustedToAuthForDelegation $true

$HV04Account = Get-ADComputer $HVHost04
$HV04Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV04Account -TrustedToAuthForDelegation $true

Please note that –TrustedToAuthForDelegation == “Use any authentication protocol” and –TrustedForDelegation == “Use Kerberos Only”.

And that’s it. Two cmdlets basically. A complete snap!


After running the above script, you need to clear the cache on the host using one of the following techniques:

1) KLIST PURGE –LI 0x3e7 (preferred and fastest method).

2) Wait 15 minutes for the cache to clear automatically.

3) Reboot the Host.


Test live migration now and you are good to go!


Hope that helps!

Make sure to check my recent Windows Server 2016 Hyper-V Cookbook for in-depth details about Hyper-V 2016! Enjoy Smile


Thanks for reading!


How To Deploy DPM 2016 Using VMM 2016 on WS2016? #SCDPM #SCVMM #SysCtr #HyperV #WS2016

How To Update Windows Server 2012 R2 Storage Spaces to Windows Server 2016? #WS2016 #StorageSpaces #HyperV


2 thoughts on “Configuring Constrained Delegation with Kerberos in Windows Server Hyper-V With PowerShell #HyperV”

Leave a comment...

  1. Are the same commands valid for Server 2019?

  2. Hello Scott, yes the same commands are valid for Server 2019 and 2022!

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!