In this article, we will show you how to configure Constrained Delegation with Kerberos in Windows Server Hyper-V.
Live migration is a Hyper-V feature in Windows Server. It allows you to transparently move running Virtual Machines from one Hyper-V host to another without perceived downtime. The primary benefit of live migration is flexibility; running Virtual Machines is not tied to a single host machine. This allows actions like draining a specific host of Virtual Machines before decommissioning or upgrading it. When paired with Windows Failover Clustering, live migration allows the creation of highly available and fault-tolerant systems.
Table of Contents
Introduction
Microsoft recently announced a configuration change for the constrained delegation with Kerberos in Windows Server 2016 Hyper-V (Live Migration). You can read about this announcement here.
In short, constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop” to get up to speed.
A common example of constrained delegation is the Hyper-V Live Migration when you initiate a move from your management desktop from one Hyper-V host to another.
Many users including myself, when attempting to migrate a virtual machine using a remote management machine or PowerShell, we encountered the following irritating error message:
[No credentials are available in the security package (0x8009030E)]
In Windows Server 2016, Microsoft shifted from using the Hyper-V WMI Provider v1 over DCOM to the Hyper-V WMI Provider v2 over WinRM in order to unify Hyper-V remoting with other Windows remoting tools such (as PowerShell Remoting), and this caused the live migration to fail with constrained delegation “Use Kerberos only”.
The fix is easy and the best approach that Microsoft found to resolve this issue is a configuration change in Active Directory as documented by John in the article.
However, we came across another challenge to apply this change to several Hyper-V hosts in the environment because we need to change the settings manually in Active Directory under the Delegation tab in the account properties for each Hyper-V host.
Configuring Constrained Delegation
It’s a complete breeze to configure the same settings using the Active Directory module with PowerShell!
To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:
# Kerberos delegation to configure Live-Migration in Kerberos mode for Windows Server 2016 Hyper-V
Import-Module ActiveDirectory
# Variables
$HVHost01 = "HV01"
$HVHost02 = "HV02"
$HVHost03 = "HV03"
$HVHost04 = "HV04"
# Delegate Microsoft Virtual System Migration Service and CIFS for every other possible Live Migration host
$HV01Spns = @("Microsoft Virtual System Migration Service/$HVHost01", "cifs/$HVHost01")
$HV02Spns = @("Microsoft Virtual System Migration Service/$HVHost02", "cifs/$HVHost02")
$HV03Spns = @("Microsoft Virtual System Migration Service/$HVHost03", "cifs/$HVHost03")
$HV04Spns = @("Microsoft Virtual System Migration Service/$HVHost04", "cifs/$HVHost04")
$delegationProperty = "msDS-AllowedToDelegateTo"
$delegateToSpns = $HV01Spns + $HV02Spns + $HV03Spns + $HV04Spns
# Configure Kerberos to (Use any authentication protocol)
$HV01Account = Get-ADComputer $HVHost01
$HV01Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV01Account -TrustedToAuthForDelegation $true
$HV02Account = Get-ADComputer $HVHost02
$HV02Account| Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV02Account -TrustedToAuthForDelegation $true
$HV03Account = Get-ADComputer $HVHost03
$HV03Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV03Account -TrustedToAuthForDelegation $true
$HV04Account = Get-ADComputer $HVHost04
$HV04Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV04Account -TrustedToAuthForDelegation $true
Please note that –TrustedToAuthForDelegation == “Use any authentication protocol” and –TrustedForDelegation == “Use Kerberos Only”.
And that’s it. Two cmdlets basically. A complete snap!
After running the above script, you need to clear the cache on the host using one of the following techniques:
1) KLIST PURGE –LI 0x3e7 (preferred and fastest method).
Invoke-Command $Nodes -ScriptBlock {
KLIST PURGE –LI 0x3e7
}
2) Or, wait 15 minutes for the cache to clear automatically.
3) Or, reboot the Host.
Test live migration now and you are good to go!
Hope that helps!
Learn more
Make sure to check my recent Windows Server Hyper-V Cookbook for in-depth details about Hyper-V! Enjoy
Thanks for reading!
-Ch@rbel-
Are the same commands valid for Server 2019?
Hello Scott, yes the same commands are valid for Server 2019 and 2022!