none
Hyper-V Live Migration:CredSSP RRS feed

  • Pertanyaan

  • credssp

    Hi folks,

    While configuring settings for Live Migrations in H-V there are 2 authentication options, one of them is CredSSP. There is pretty solid info about Kerberos, but I wonder why and when would you go for CredSsp?

    Any example. I understand that no further config is needed in this case. There is very little info about this bird.

    Thanks for your insights!

    Jumat, 06 Desember 2019 15.14

Semua Balasan

  • CredSSP works without any extra configuration steps, which makes it easier. You would prefer it when you don't have the authority to setup delegations. I don't know exactly where the line is drawn, but just having full control over the individual computer objects is not sufficient to set up delegation. CredSSP is also convenient when you have a one-off Live Migration that you'll do exactly one time, and don't want to go poking in AD just for that single event.

    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    • Disarankan sebagai Jawaban oleh Tim CerlingMVP Sabtu, 07 Desember 2019 13.32
    Jumat, 06 Desember 2019 16.10
  • Hi,

    As you can see, using CredSSP authentication is the easiest option, but it requires you to log in locally to the Hyper-V host running the virtual machine that you want to live migrate. Kerberos offers better flexibility, but the use of constrained delegation is essential.

    CredSSP has a single hop limitation, meaning it is able to pass the administrator's credentials to a remote system, but the credentials cannot be passed any further. Kerberos does not have this limitation, meaning the administrator's credentials can be passed across multiple servers if necessary.

    • Kerberos lets you avoid having to sign in to the server, but requires constrained delegation to be set up. See below for instructions.

    • CredSSP lets you avoid configuring constrained delegation, but requires you sign in to the source server. You can do this through a local console session, a Remote Desktop session, or a remote Windows PowerShell session.

      CredSPP requires signing in for situations that might not be obvious. For example, if you sign in to TestServer01 to move a virtual machine to TestServer02, and then want to move the virtual machine back to TestServer01, you'll need to sign in to TestServer02 before you try to move the virtual machine back to TestServer01. If you don't do this, the authentication attempt fails, an error occurs, and the following message is displayed:

      "Virtual machine migration operation failed at migration Source. Failed to establish a connection with host computer name: No credentials are available in the security package 0x8009030E."

    For more information, you can refer to:

    https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering

    https://searchservervirtualization.techtarget.com/tip/Should-you-use-CredSSP-or-Kerberos-authentication-for-Live-Migration

    Best Regards,

    Daniel


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Senin, 09 Desember 2019 07.38
    Moderator
  • Way to go! The second link demands login...:D
    Senin, 09 Desember 2019 15.25
  • This link just for your reference, About the difference between them, Eric and I have explained it to you. There are also some explanations in the official documents. You can have a look at.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Selasa, 10 Desember 2019 01.55
    Moderator