When you configure Live Migration settings on a Windows Server 2012 Hyper-V host then you have two options for authentication of Live Migration sessions:
- Use Credential Security Support Provider (CredSSP)
- Use Kerberos
Kerberos is my recommendation to customers. This is more secure than CredSSP. However the Kerberos option requires constrained delegation. If you do not configure constrained delegation, Live Migration of a virtual machine is not possible and you will receive a message that the source server does not have enough permissions to migrate the virtual machine to another host.
Yesterday I was at a customer location and I would like to configure constrained delegation so that I can use Kerberos as the authentication protocol for Live Migration.
I opened Active Directory Users and Computers and browsed to the computer objects representing the Hyper-V hosts. I went into the properties of the computer object and selected the ‘Delegation’ tab (just like the screenshot below).
When I would add the service Microsoft Virtual System Migration Service this option was not available in the list of services.
So I start a discussion with the guy who had installed the servers and asked him how he did the installation of the Hyper-V role. Then he told me that he had enabled the Hyper-V role while the servers were not joined to Active Directory….. Tadaaa that’s the reason why the service Microsoft Virtual System Migration Service was not available!!
To solve this you had to register the Service Principal Name for this service. To do so you had to open a Command Prompt or a PowerShell prompt and run the following commands:
- setspn -S "Microsoft Virtual System Migration ServicesServername" Servername
- setspn -S "Microsoft Virtual System Migration ServicesServername.fqdn" Servername
After running those commands you will see the ‘Microsoft Virtual System Migration Service” in the list of services that you can add for delegation using Kerberos.
Lesson learned: first join the Hyper-V server to Active Directory and after the server is joined you can enable the Hyper-V role.