You dont have javascript enabled! Please enable it! Configuring Constrained Delegation With Kerberos In Windows Server Hyper-V With PowerShell #HyperV - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Configuring Constrained Delegation with Kerberos in Windows Server Hyper-V with PowerShell #HyperV

3 Min. Read

In this article, we will show you how to configure Constrained Delegation with Kerberos in Windows Server Hyper-V.

Live migration is a Hyper-V feature in Windows Server. It allows you to transparently move running Virtual Machines from one Hyper-V host to another without perceived downtime. The primary benefit of live migration is flexibility; running Virtual Machines is not tied to a single host machine. This allows actions like draining a specific host of Virtual Machines before decommissioning or upgrading it. When paired with Windows Failover Clustering, live migration allows the creation of highly available and fault-tolerant systems.


Microsoft recently announced a configuration change for the constrained delegation with Kerberos in Windows Server 2016 Hyper-V (Live Migration). You can read about this announcement here.

In short, constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop” to get up to speed.

A common example of constrained delegation is the Hyper-V Live Migration when you initiate a move from your management desktop from one Hyper-V host to another.

Many users including myself, when attempting to migrate a virtual machine using a remote management machine or PowerShell, we encountered the following irritating error message:

[No credentials are available in the security package (0x8009030E)]


In Windows Server 2016, Microsoft shifted from using the Hyper-V WMI Provider v1 over DCOM to the Hyper-V WMI Provider v2 over WinRM in order to unify Hyper-V remoting with other Windows remoting tools such (as PowerShell Remoting), and this caused the live migration to fail with constrained delegation “Use Kerberos only”.

The fix is easy and the best approach that Microsoft found to resolve this issue is a configuration change in Active Directory as documented by John in the article.

However, we came across another challenge to apply this change to several Hyper-V hosts in the environment because we need to change the settings manually in Active Directory under the Delegation tab in the account properties for each Hyper-V host.

Configuring Constrained Delegation

It’s a complete breeze to configure the same settings using the Active Directory module with PowerShell!

To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:

# Kerberos delegation to configure Live-Migration in Kerberos mode for Windows Server 2016 Hyper-V
Import-Module ActiveDirectory
# Variables
$HVHost01 = "HV01"
$HVHost02 = "HV02"
$HVHost03 = "HV03"
$HVHost04 = "HV04"

# Delegate Microsoft Virtual System Migration Service and CIFS for every other possible Live Migration host
$HV01Spns = @("Microsoft Virtual System Migration Service/$HVHost01", "cifs/$HVHost01")
$HV02Spns = @("Microsoft Virtual System Migration Service/$HVHost02", "cifs/$HVHost02")
$HV03Spns = @("Microsoft Virtual System Migration Service/$HVHost03", "cifs/$HVHost03")
$HV04Spns = @("Microsoft Virtual System Migration Service/$HVHost04", "cifs/$HVHost04")

$delegationProperty = "msDS-AllowedToDelegateTo"
$delegateToSpns = $HV01Spns + $HV02Spns + $HV03Spns + $HV04Spns

# Configure Kerberos to (Use any authentication protocol)
$HV01Account = Get-ADComputer $HVHost01
$HV01Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV01Account -TrustedToAuthForDelegation $true

$HV02Account = Get-ADComputer $HVHost02
$HV02Account| Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV02Account -TrustedToAuthForDelegation $true

$HV03Account = Get-ADComputer $HVHost03
$HV03Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV03Account -TrustedToAuthForDelegation $true

$HV04Account = Get-ADComputer $HVHost04
$HV04Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV04Account -TrustedToAuthForDelegation $true

Please note that –TrustedToAuthForDelegation == “Use any authentication protocol” and –TrustedForDelegation == “Use Kerberos Only”.

And that’s it. Two cmdlets basically. A complete snap!


After running the above script, you need to clear the cache on the host using one of the following techniques:

1) KLIST PURGE –LI 0x3e7 (preferred and fastest method).

Invoke-Command $Nodes -ScriptBlock {

2) Or, wait 15 minutes for the cache to clear automatically.

3) Or, reboot the Host.


Test live migration now and you are good to go!


Hope that helps!

Learn more

Make sure to check my recent Windows Server Hyper-V Cookbook for in-depth details about Hyper-V! Enjoy Smile


Thanks for reading!

Photo of author
About the Author:
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

How To Deploy DPM 2016 Using VMM 2016 on WS2016? #SCDPM #SCVMM #SysCtr #HyperV #WS2016

How To Update Windows Server 2012 R2 Storage Spaces to Windows Server 2016? #StorageSpaces #HyperV


4 thoughts on “Configuring Constrained Delegation with Kerberos in Windows Server Hyper-V with PowerShell #HyperV”

Leave a comment...

  1. Does it matter if you have a mixture of Hyper-V host say:
    Host-1 is 2012 r2
    Host-2 is 2019
    Host-3 is 2022
    You run the script against all the hosts ?

  2. Hello Peter, thanks for the comment!
    Yes, you need to run the script against all the hosts if you have a mixture of Hyper-V hosts in your environment.
    Hope it helps!

Let us know what you think, or ask a question...