Configuring Constrained Delegation with Kerberos in Windows Server 2016 Hyper-V With PowerShell #HyperV #WS2016

3 min read

Microsoft recently announced a configuration change for constrained delegation with Kerberos in Windows Server 2016 Hyper-V (Live Migration).

You can read about this announcement here.

In short, constrained delegation lets you limit the back-end services for which a front-end service can request tickets on behalf of another user. I would suggest that you read the Ask the Directory Services Team blog post “Understanding Kerberos Double Hop” to get up to speed.

A common example of constrained delegation is the Hyper-V Live Migration when you initiate a move from your management desktop from one Hyper-V host to another.

Many users including myself, when attempting to migrate a virtual machine using a remote management machine or PowerShell, we encountered the following irritating error message:

[No credentials are available in the security package (0x8009030E)] 


In Windows Server 2016, Microsoft shifted from using the Hyper-V WMI Provider *v1* over *DCOM* to the Hyper-V WMI Provider *v2* over *WinRM* in order to unify Hyper-V remoting with other Windows remoting tools such (PowerShell Remoting), and this cause the live migration to fail with constrained delegation “Use Kerberos only”.

The fix is easy and the best approach that Microsoft found to resolve this issue is a configuration change in Active Directory as documented by John in the article.

However, I came across another challenge when I need to apply this change to several Hyper-V 2016 hosts in my environment, because I need to change the settings manually in Active Directory under the Delegation tab in the account properties for each Hyper-V host.

It’s a complete breeze to configure the same settings using the Active Directory module for Windows PowerShell!

To do so, open an elevated PowerShell console on your management machine, import the Active Directory module and run the following script:

# Kerberos delegation to configure Live-Migration in Kerberos mode for Windows Server 2016 Hyper-V
Import-Module ActiveDirectory
# Variables
$HVHost01 = "HV01"
$HVHost02 = "HV02"
$HVHost03 = "HV03"
$HVHost04 = "HV04"

# Delegate Microsoft Virtual System Migration Service and CIFS for every other possible Live Migration host
$HV01Spns = @("Microsoft Virtual System Migration Service/$HVHost01", "cifs/$HVHost01")
$HV02Spns = @("Microsoft Virtual System Migration Service/$HVHost02", "cifs/$HVHost02")
$HV03Spns = @("Microsoft Virtual System Migration Service/$HVHost03", "cifs/$HVHost03")
$HV04Spns = @("Microsoft Virtual System Migration Service/$HVHost04", "cifs/$HVHost04")

$delegationProperty = "msDS-AllowedToDelegateTo"
$delegateToSpns = $HV01Spns + $HV02Spns + $HV03Spns + $HV04Spns

# Configure Kerberos to (Use any authentication protocol)
$HV01Account = Get-ADComputer $HVHost01
$HV01Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV01Account -TrustedToAuthForDelegation $true

$HV02Account = Get-ADComputer $HVHost02
$HV02Account| Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV02Account -TrustedToAuthForDelegation $true

$HV03Account = Get-ADComputer $HVHost03
$HV03Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV03Account -TrustedToAuthForDelegation $true

$HV04Account = Get-ADComputer $HVHost04
$HV04Account | Set-ADObject -Add @{$delegationProperty=$delegateToSpns}
Set-ADAccountControl $HV04Account -TrustedToAuthForDelegation $true

Please note that –TrustedToAuthForDelegation == “Use any authentication protocol” and –TrustedForDelegation == “Use Kerberos Only”.

And that’s it. Two cmdlets basically. A complete snap!


After running above script, you need to clear the cache on the host using one of the following techniques:

    • KLIST PURGE –LI 0x3e7 (preferred and fastest method) .
    • Wait 15 minutes for the cache to clear automatically.
    • Reboot the Host.


Test live migration now and you are good to go!


Hope that helps!

Make sure to check my recent Windows Server 2016 Hyper-V Cookbook for in-depth details about Hyper-V 2016! Enjoy Smile


Thanks for reading!
[email protected]

About Charbel Nemnom 577 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.