locked
Hyper-v 2016 Management Pack NTLM issue (DiscoverHyperV2016VirtualMachine.ps1, SCOM 2016 UR3) RRS feed

  • Question

  • Hi,

    We have an environment where NTLM authentication requests against the SMB storage for the Hyper-v virtual machines is not allowed. 

    Every hour when DiscoverHyperV2016VirtualMachine.ps1 runs hyper-v vmms.exe records the following event:

    ID: 15268. Failed to get the disk information.

    Removing the SCOM agent resolves the issue. SPN's on SMB storage are correct.

    Question, can i make the Hyper-v 2016 MP use Kerberos only?

    Thursday, August 31, 2017 7:39 AM

All replies

  • Hi,

    what makes you thinк that the discovery script uses NTLM authentication? the event tells that it is not able to discover the disk, but nothing about authentication.

    The authentication protocol between SCOM and its agent is Kerberos:

    From:

    Authentication and Data Encryption for Windows Computers

    "An agent and the management server use Windows authentication to mutually authenticate with each other before the management server accepts data from the agent. The Kerberos version 5 protocol is the default method for providing authentication. In order for Kerberos-based mutual authentication to function, the agents and management server must be installed in an Active Directory domain."

    The the agent on its turn uses a security account to do the discovery (run the script):

    From the Hyper-V MP guide:

    "Security Configuration

    The following run as a Privileged Monitoring Account, which defaults to Local System:

    • Virtual Machine Discovery
    • Virtual Network Discovery
    • Guest Computer Relationship Discovery
    • Virtual Network Relationship Discovery
    • Free Disk Space Collection Rule"

    Hope that helps a bit. Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov


    Thursday, August 31, 2017 9:09 AM
  • Hi,

    Thanks for engaging in this thread.

    Everytime the discovery script runs the following  two correlating event id's on the hyper-v host occurs:

    ID: 15268. Failed to get the disk information.
    ID: 27000  Failed to open attachment '\\xxx.xxx.xx\XXX\XXXX.vhdx'. Error: 'The user name or password is incorrect.'.

    This happens for each VHD so i suspect this function is the culprit.

    foreach ($vhd in $vhds)
                      {
                      $deviceID = ""
                      if ($vhd.InstanceID -ne $null)
                      {
                      $deviceID = $vhd.InstanceID;
                      }

                      $filePath = ""
                      $driveType = ""
                      $deviceName = "Hard Disk"
                      $hostResourceArray = $vhd.HostResource;
                      if ($hostResourceArray -ne $null -and $vhdsvc -ne $null)
                      {
                      $filePath = $hostResourceArray[0];
                      if(IsHigherThanWin2008 )
                      {
                      $outParams = Invoke-CimMethod -InputObject $vhdsvc[0] -Methodname GetVirtualHardDiskSettingData -Arguments @{Path=$filePath};
                      }
                      else
                      {
                      $outParams = $vhdsvc.GetVirtualHardDiskSettingData($filePath);
                      }
                      $xmlDoc = new-object -comObject 'Microsoft.XMLDOM';
                      $xmlDoc.async = "false";
                      $xmlDoc.loadXML($outParams.SettingData)
                      $xPath = "/INSTANCE/PROPERTY[@NAME='Type']/VALUE/child:text()"
                      $node = $xmlDoc.selectSingleNode($xPath)
                      if ($node -ne $null)
                      {
                      if ($node.Text -ne "")
                      {
                      $driveType = $node.Text;
     }
                      }
                      }

                      $oInstance = $oDiscoveryData.CreateClassInstance("$MPElement[Name='Microsoft.Windows.HyperV.2016.VirtualDrive']$")
                      $oInstance.AddProperty("$MPElement[Name='System!System.Entity']/DisplayName$", $deviceName)
                      $oInstance.AddProperty("$MPElement[Name='Windows!Microsoft.Windows.Computer']/PrincipalName$", $ComputerIdentity)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.ServerRole']/ServerId$", $ComputerIdentity)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.VirtualMachine']/VirtualMachineId$", $vmId)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.VirtualHardwareComponent']/DeviceId$", $deviceID)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.VirtualHardwareComponent']/Name$", $deviceName)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.VirtualHardwareComponent']/VirtualMachineName$", $vmName)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.VirtualDrive']/ImageFile$", $filePath)
                      $oInstance.AddProperty("$MPElement[Name='HVLib!Microsoft.Windows.HyperV.VirtualDrive']/DriveType$", $driveType)
                      $oDiscoveryData.AddInstance($oInstance)

    I can also see that the last line /Drivetype$ is missing from the SCOM discoverydata, however when i run the function manually it returns the /Drivetype$ info. VHD's that are local to the hyper-v host has drivetype discovered and visible in SCOM.

    The SMB storage applicance shows the following in the debug.log:

    vmstore[26647]: SMB: [42406326] [tid 31641] Smb2SessionSetup: Denied unsupported NTLM authentication request: client xxx.xxx.xxx.xxx:53725, status 0xC000006D, dataPathHostname "xxx.xxx.xx", dnsDomainName "xxx.xx"

    Update:

    Disabling the following rules makes the errors disappear on all hosts:

    Free Space Collection Rule
    Hyper-V 2016 Virtual Machine Hard Drive Percentage of Used Space Collection Rule

    Br,

    Chris




    • Edited by JLCM Thursday, August 31, 2017 2:18 PM
    Thursday, August 31, 2017 12:52 PM
  • Hi Chris,

    I think it all comes down to the account's permissions and this because of the error you get:

    Error: 'The user name or password is incorrect.'.

    The discovery is done with the account I mentioned. Can you please make sure the user name is typed correctly and the correct password is also entered?

    This would also explain why you get the drive type back (you have the permissions to run the script and obtian this information) and the script, run by the account, not. 

    Try running the script as LocalSystem. Are you able to do so?

    Here a short guide on how to test this:

    Run PowerShell using Local System Account

    if you get an error back then it is pretty clear. 

    Cheers,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Thursday, August 31, 2017 3:32 PM
  • Hi Chris,

    As Stoyan mentioned , you may specify an account for that rule "Free Disk Space Collection Rule" .

    Have you tried to use an account which is both admin of hyper-v server and that SMB share ?

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Elton_Ji Tuesday, September 5, 2017 7:40 AM
    Tuesday, September 5, 2017 7:40 AM
  • Sorry for the delay guys. 

    I have successfully verified that i can run the script function (DiscoverVirtualDisks()) as nt authority\system. This was expected since the host has Full control permissions on the target SMB share.

    Im clueless here, since disabling the rules i still get the vhdx errors on the hosts when the base discovery runs.

    Br,

    Chris

    Tuesday, September 5, 2017 12:15 PM
  • Hi Elton,

    I can see that the Profile for the hyper-v hosts uses the "local system" and i've verified that i can run the script in the context of local system and properties like "drive type" which are not discovered when triggered by healthsvc. Any ideas what more i can look for?

    Br,

    Chris

    Tuesday, September 5, 2017 12:23 PM