none
Issues with SSP portal auth store

    Question

  • Hello everybody,

    I'm facing an issue with SCVMM 2008 R2 SP1 Self-Service portal. Let me explain :

    • Last week, some users indicated that they could not connect to their VM using SSP, getting a message saying that another connection has been established to the VM. Local connection on the Hyper-V host is OK, from the SCVMM admin console also.
    • Il the VMM logs in Event Viewer, we were getting messages like "The Virtual Machine Manager server could not copy a required Hyper-V authorization file to hpvmachine.example.com". After having investigated and found some answers on the internet, I finally dropped the host out of the SCVMM and re-integrated it. (the HyperVauthstore.xml file on the host was not OK, registry keys about it were not OK, now it's good)
    • For now, we do not have this message anymore. BTW, the connection to the VM does not work. Ever the same message. But now on the Hyper-V host, we get warning messages in the "Hyper-V Worker/Admin" logs : "Virtual machine 'vm_name' is assigned to an authorization scope that is currently not defined in the policy store: '7f80c839-b22b-4551-9618-6315508836c1'. The virtual machine will be reassigned to the default authorization scope. (Virtual machine ID 05A3586B-B82A-4F81-80C0-D224468635D4)" (Event ID 17030). I could not find any documentation about this error, and no other issue resolved in the forums.

    Could you indicate me what I could do with this issue ? Note that the server is in production, so I cannot re-install OS... Thanks in advance !!

    Thursday, January 19, 2012 10:53 AM

All replies

  • Hello,

    Not anyone to help me ?

    Thanks !

    Regards,

    Pierre

    Friday, January 27, 2012 10:41 AM
  • The VMs you have problems with, have you done any import/export of them prior to this behavior?

    What happens if you create a new VM? are you able to connect to it using the SSP?

     


    Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )
    Friday, January 27, 2012 11:46 AM
  • No, the VMs are built by cloning master VMs.

    And the issue is present on all of the VMs on this host, even the new ones.

    Thanks !

    Friday, January 27, 2012 3:50 PM
  • I have the same issue, although for me, only some of the VMs are affected, not all of them. SCVMM 2008 R2 SP1 is managing two hosts running Windows Server 2008 R2 SP1. There's no pattern to which ones are affected - only a few on each host. However, there are log entries matching the one in the initial post in this thread:

    Virtual machine 'xxxx' is assigned to an authorization scope that is currently not defined in the policy store: '7b04339f-14b9-4193-9f63-92094d80d8fb'. The virtual machine will be reassigned to the default authorization scope. (Virtual machine ID 966A42D3-55DF-4C04-B336-964378AB9A67)
     
    I have opened the Authorization Manager console and opened the HyperVAuthStore.xml file, and confirmed that that scope does in fact exist.
     
    The issue also occurs from the Virtual Machine Manager Administration Console, if run by a user that does not have administrative rights on the hosts. If run by the domain administrator, the affected VMs can be accessed. This seems to point to this security issue being the problem.


    Thursday, March 15, 2012 6:16 PM
  • I believe I have now solved my issue. The virtual machines affected were already running when I added the hosts to SCVMM (they had been exported from an old server running Windows Server 2008, managed by SCVMM 2008). My hypothesis is that when SCVMM changes the location of the authorization store, the running worker processes do not pick up the change. For me, warning 17030 was coming from Hyper-V-Worker, not Hyper-V-VMMS, and appears to be generated when you use "Connect to VM", if SCVMM has attempted to set the scope since you last tried to connect.

    Forcing the worker process to stop, by stopping or shutting down the VM, means that the new worker process will pick up the correct authorization store. The scope will still be incorrect at this point. It will be fixed by the next SCVMM authorization store refresh (occurs every 30 minutes), or if you change a security setting (e.g. the VM's owner) SCVMM appears to update it immediately. You can also fix it using the SetScope script available at http://blogs.technet.com/b/alipka/archive/2008/07/02/off-topic-things-and-some-hyper-v-goodies-resources-backup-and-azman-scope-scripts.aspx .

    Both my hosts are running Windows Server 2008 R2 SP1.

    Friday, March 16, 2012 2:38 PM