You dont have javascript enabled! Please enable it!

Configuring Constrained Delegation with Kerberos in Windows Server Hyper-V with PowerShell #HyperV

3 Min. Read

In this article, we will show you how to configure Constrained Delegation with Kerberos in Windows Server Hyper-V.

Live migration is a Hyper-V feature in Windows Server. It allows you to transparently move running Virtual Machines from one Hyper-V host to another without perceived downtime. The primary benefit of live migration is flexibility; running Virtual Machines is not tied to a single host machine. This allows actions like draining a specific host of Virtual Machines before decommissioning or upgrading it. When paired with Windows Failover Clustering, live migration allows the creation of highly available and fault-tolerant systems.

Introduction

Microsoft recently announced a configuration change for the constrained delegation with Kerberos in Windows Server 2016 Hyper-V (Live Migration). You can read about this announcement here.

In short, constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop” to get up to speed.

A common example of constrained delegation is the Hyper-V Live Migration when you initiate a move from your management desktop from one Hyper-V host to another.

Many users including myself, when attempting to migrate a virtual machine using a remote management machine or PowerShell, we encountered the following irritating error message:

[No credentials are available in the security package (0x8009030E)]

WS2016-KerberosLM-HV01

In Windows Server 2016, Microsoft shifted from using the Hyper-V WMI Provider v1 over DCOM to the Hyper-V WMI Provider v2 over WinRM in order to unify Hyper-V remoting with other Windows remoting tools such (as PowerShell Remoting), and this caused the live migration to fail with constrained delegation “Use Kerberos only”.

The fix is easy and the best approach that Microsoft found to resolve this issue is a configuration change in Active Directory as documented by John in the article.

However, we came across another challenge to apply this change to several Hyper-V hosts in the environment because we need to change the settings manually in Active Directory under the Delegation tab in the account properties for each Hyper-V host.

Configuring Constrained Delegation

It’s a complete breeze to configure the same settings using the Active Directory module with PowerShell!

To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:

# Kerberos delegation to configure Live-Migration in Kerberos mode for Windows Server 2016 Hyper-V
Import-Module ActiveDirectory
# Variables
$HVHost01 = "HV01"
$HVHost02 = "HV02"
$HVHost03 = "HV03"
$HVHost04 = "HV04"

# Delegate Microsoft Virtual System Migration Service and CIFS for every other possible Live Migration host
$HV01Spns = @("Microsoft Virtual System Migration Service/$HVHost01", "cifs/$HVHost01")
$HV02Spns = @("Microsoft Virtual System Migration Service/$HVHost02", "cifs/$HVHost02")
$HV03Spns = @("Microsoft Virtual System Migration Service/$HVHost03", "cifs/$HVHost03")
$HV04Spns = @("Microsoft Virtual System Migration Service/$HVHost04", "cifs/$HVHost04")

$delegationProperty = "msDS-AllowedToDelegateTo"
$delegateToSpns = $HV01Spns + $HV02Spns + $HV03Spns + $HV04Spns

# Configure Kerberos to (Use any authentication protocol)
$HV01Account = Get-ADComputer $HVHost01
$HV01Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV01Account -TrustedToAuthForDelegation $true

$HV02Account = Get-ADComputer $HVHost02
$HV02Account| Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV02Account -TrustedToAuthForDelegation $true

$HV03Account = Get-ADComputer $HVHost03
$HV03Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV03Account -TrustedToAuthForDelegation $true

$HV04Account = Get-ADComputer $HVHost04
$HV04Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV04Account -TrustedToAuthForDelegation $true

Please note that –TrustedToAuthForDelegation == “Use any authentication protocol” and –TrustedForDelegation == “Use Kerberos Only”.

And that’s it. Two cmdlets basically. A complete snap!

WS2016-KerberosLM-HV04

After running the above script, you need to clear the cache on the host using one of the following techniques:

1) KLIST PURGE –LI 0x3e7 (preferred and fastest method).

Invoke-Command $Nodes -ScriptBlock {
KLIST PURGE –LI 0x3e7
}

2) Or, wait 15 minutes for the cache to clear automatically.

3) Or, reboot the Host.

WS2016-KerberosLM-HV02

Test live migration now and you are good to go!

WS2016-KerberosLM-HV03

Hope that helps!

Learn more

Make sure to check my recent Windows Server Hyper-V Cookbook for in-depth details about Hyper-V! Enjoy Smile

WS2016-KerberosLM-HV05

Thanks for reading!
-Ch@rbel-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.
Previous

How To Deploy DPM 2016 Using VMM 2016 on WS2016? #SCDPM #SCVMM #SysCtr #HyperV #WS2016

How To Update Windows Server 2012 R2 Storage Spaces to Windows Server 2016? #StorageSpaces #HyperV

Next

2 thoughts on “Configuring Constrained Delegation with Kerberos in Windows Server Hyper-V with PowerShell #HyperV”

Leave a comment...

Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in 'Black' by selecting the Code. Thank You!