Configuring constrained delegation to authenticate live migrations

Share

Constrained delegation allows live migrations to be started using any remote management tool and might help in providing more flexibility to move your VMs.

If the connection between the source and destination computers cannot be authenticated, an error occurs and the following message is displayed:

Virtual machine migration operation failed at migration Source.

Failed to establish a connection with host<computer name>: No credentials are available in the security package (0x8009030E).

To solve this issue you have to configuring constrained delegation to authenticate live migrations on both Hyper-V servers.

To enable it, just follow this steps

1. Open Active Directory Users and Computers

2. Right-click on the host computer account

3. Click on Properties.

clip image002 thumb Configuring constrained delegation to authenticate live migrations

4. In the Properties window, click on the Delegation tab, select Trust this computer for delegation to the specified services only

clip image004 thumb Configuring constrained delegation to authenticate live migrations

5. Select Use Kerberos only.

6. Click on Add

clip image006 thumb Configuring constrained delegation to authenticate live migrations

7. Click Users or Computers.

clip image008 thumb Configuring constrained delegation to authenticate live migrations

8. In the Select Users or Computers box, type the destination host server name and click OK.

9. In the Add Services dialog box

a. Select cifs

clip image010 thumb Configuring constrained delegation to authenticate live migrations

b. Select Microsoft Virtual System Migration Service

clip image012 thumb Configuring constrained delegation to authenticate live migrations

c. Click on OK. The two services will be listed in the service type, as shown in the next screenshot:

clip image014 thumb Configuring constrained delegation to authenticate live migrations

10. Click on OK to close the computer properties window and repeat the same process on the destination server computer account.

NOTE: The configuration changes do not take effect until the following has occurred:

· The changes have replicated to the domain controllers that the servers running Hyper-V are logged into.

· A new Kerberos ticket has been issued.

After that, you can change the live migration authentication type to use Kerberos.

Written by Marcos Nogueira

Author marcos Configuring constrained delegation to authenticate live migrations

Marcos Nogueira is a specialist in Private Cloud, with a focus on Virtualization and System Center. He has 10+ years has a Microsoft Certified, with more than 60+ certifications. He had directly collaborated with Microsoft in the development of workshops and special events with products such as Private Cloud, System Center, Windows Server, Windows client among others, and as a speaker at several TechNet events and TechEd Events (NORAM and EMEA).

website Configuring constrained delegation to authenticate live migrationstwitter Configuring constrained delegation to authenticate live migrationsfacebook Configuring constrained delegation to authenticate live migrationslinkedin Configuring constrained delegation to authenticate live migrations

One thought on “Configuring constrained delegation to authenticate live migrations

  1. I have been struggeling with this almost an entire day.
    Turns out that you can’t have your Hyper-V server using a 2003 domain controller as logonserver (the domain functional level can be 2003, but when your Hyper-V server is logging on to a 2003 DC, you get the same error as if you haden’t configured KCD at all)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>