none
Hyper-V Core 2016 Kerberos Constained Delegation Failing

    Question

  • Hi all,

    I am running some tests in a lab environment and have run into an issue that's left me quite confused. I'm running some base VMs in VMware Workstation, two of which are nested virtualization Hyper-V machines installed on Windows Server 2016 Datacenter Core. One last machine simple serves as a GUI management node and Veeam host.

    A visual representation of my environment:

    >Workstation Host (VMware Workstation as hypervisor)
    >>LAB-VHOST01
    >>>>LAB-DC01
    >>>>LAB-ADCS01
    >>>>LAB-NANO01
    >>LAB-VHOST02
    >>LAB-MGMT01

    My challenge lies within trying to live migrate a VM from LAB-VHOST01 to LAB-VHOST02 using the management console on LAB-MGMT01 using Kerberos authentication. I've set up the cifs and 'Microsoft Virtual System Moving Service' services on LAB-VHOST01 to delegate to LAB-VHOST02, and vise versa. 

    However, when I initiate a VM migration with those two services delegated, it fails with a 'no credentials are available in the security package' Kerberos error message, and the event log on LAB-MGMT01 reports an Audit Failure on a null SID.

    When I configure either of the VHOSTs to delegate to any service, the live migration is successful. My question then is, what services and/or hosts are actually involved in this process? I've tried delegating every service to the opposite host, but it fails as well. It only succeeds when automated delegation to any service is used. I've had no luck looking online and would appreciate any input.

    Sunday, January 15, 2017 7:09 PM

All replies

  • Hi John,

    >>I've set up the cifs and 'Microsoft Virtual System Moving Service' services on LAB-VHOST01 to delegate to LAB-VHOST02, and vise versa. 

    The guides I could find seems to only mentioned the two services, no other services.

    >>When I configure either of the VHOSTs to delegate to any service, the live migration is successful. My question then is, what services and/or hosts are actually involved in this process?

    I suppose you could use it as a workaround since I could not find more related documents so far.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 16, 2017 4:52 AM
    Moderator
  • "I'm running some base VMs in VMware Workstation, two of which are nested virtualization Hyper-V machines installed on Windows Server 2016 Datacenter Core. "

    Microsoft does not support nested virtualization on any hypervisor besides Hyper-V 2016 today.  So you are running a configuration that is not supported by Microsoft.  VMware has different rules for what they 'support', so you would need to check with them to see if they 'support' what you are trying to do with VMware Workstation.


    . : | : . : | : . tim

    Monday, January 16, 2017 1:43 PM
  • Hi,
    Are there any updates on the issue?
    You could mark the reply as answer if it is helpful.
    Best Regards,
    Leo

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 30, 2017 1:35 AM
    Moderator