Live Migration via Constrained Delegation with Kerberos in Windows Server 2016

Introduction

Many Hyper-V customers have run into new challenges when trying to use constrained delegation with Kerberos to Live Migrate VMs in Windows Server 2016.  When attempting to migrate, they would see errors with messages like “no credentials are available in the security package,” or “the Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available.”  After investigating, we have determined the root cause of the issue and have updated guidance for how to configure constrained delegation.

Fixing This Issue

Resolving this issue is a simple configuration change in Active Directory.  In the following dialog, select “use any authentication protocol” instead of “use Kerberos only.”

constrained_delegation

Root Cause

Warning: the next two sections go a bit deep into the internal workings of Hyper-V.

The root cause of this issue is an under the hood change in Hyper-V remoting.  Between Windows Server 2012R2 and Windows Server 2016, we shifted from using the Hyper-V WMI Provider *v1* over *DCOM* to the Hyper-V WMI Provider *v2* over *WinRM*.  This is a good thing: it unifies Hyper-V remoting with other Windows remoting tools (e.g. PowerShell Remoting).  This change matters for constrained delegation because:

  1. WinRM runs as NETWORK SERVICE, while the Virtual Machine Management Service (VMMS) runs as SYSTEM.
  2. The way WinRM does inbound authentication stores the nice, forwardable Kerberos ticket in a location that is unavailable to NETWORK SERVICE.

The net result is the WinRM cannot access the forwardable Kerberos ticket, and the Live Migration fails on Windows Server 2016.  After exploring possible solutions, the best (and fastest) option here is to change the configuration to enable “protocol transition” by changing the constrained delegation configuration as above.

How does this impact security?

You may think this approach is less secure, but in practice, the impact is debatable.

When Kerberos Constrained Delegation (KCD) is configured to “use Kerberos only,” the system performing delegation must possess a Kerberos service ticket from the delegated user as evidence that it is acting on behalf of that user.  By switching KCD to “use any authentication protocol”, that requirement is relaxed such that a service ticket acquired via Kerberos S4U logon is acceptable.  This means that the delegating service is able to delegate an account without direct involvement of the account owner.  While enabling the use of any protocol — often referred to as “protocol transition” — is nominally less secure for this reason, the difference is marginal due to the fact that the disabling of protocol transition provides no security promise.  Single-sign-on authentication between systems sharing a domain network is simply too ubiquitous to treat an inbound service ticket as proof of anything.  With or without protocol transition, the only secure way to limit the accounts that the service is permitted to delegate is to mark those accounts with the “account is sensitive and cannot be delegated” bit.

Documentation

We’re working on modifying our documentation to reflect this change.

John Slack
Hyper-V Team PM

[new] ASUS Z170I Pro Gaming mini-ITX Socket 1151 MotherboardASUS Z170I Pro Gaming mini-ITX Socket 11

For Sale: ASUS Z170I Pro Gaming mini-ITX Socket 1151 Motherboard
Condition: New and Unused
Price: £120 inc delivery

Selling my spare ASUS Z170I motherboard, it’s in brand new condition and has never been used. Will send item with Royal Mail or Parcelforce tracked delivery but I require payment first via Bank transfer.

[​IMG]

Price and currency: £120
Delivery: Delivery cost is included within my country
Payment…

[new] ASUS Z170I Pro Gaming mini-ITX Socket 1151 MotherboardASUS Z170I Pro Gaming mini-ITX Socket 11

ASUS Z170I Pro Gaming mini-ITX Socket 1151 Motherboard

For Sale: ASUS Z170I Pro Gaming mini-ITX Socket 1151 Motherboard
Condition: New and Unused
Price: £120 inc delivery

Selling my spare ASUS Z170I motherboard, it’s in brand new condition and has never been used. Will send item with Royal Mail or Parcelforce tracked delivery but I require payment first via Bank transfer.

[​IMG]

______________________________________________________
This message is automatically…

ASUS Z170I Pro Gaming mini-ITX Socket 1151 Motherboard

Go Universal! Now your ad campaigns can reach users across Microsoft premium surfaces like MSN, Outlook and Skype

Here’s your New Year’s gift from Windows Store team. The “Promote Your App” ad campaigns that delivered ad creatives in other apps in the Windows eco-system just got a major update.

We are happy to announce the launch of universal campaigns that will deliver your ads across Microsoft premium surfaces such as MSN.com, Outlook.com, and Skype, as well as games like the Microsoft solitaire collection.

Why should I use universal campaigns?

The first and the most important reason is wider reach. Microsoft premium surfaces such as MSN, Outlook, Skype and Solitaire collection are used by millions of users daily, and now your ad campaigns have a chance to showcase your awesome app when they interact on these surfaces.

Second, your ad campaigns will now get a very wide variety of touch points. Studies have shown that media-mix models can fetch your company multi-fold revenues. In the context of app promotions, it is the app installs and app engagements that can grow multi-fold.

MSN is primarily used in the context of news and entertainment, while Skype is used for personal communication and Outlook is used for email. Many Windows customers spend a fair amount of time playing popular games like Microsoft Solitaire. Your ad can now capture the attention of users in all these different situations, as well as improve recall and conversion rates.

Finally, the allocation of budget among the Microsoft surfaces is driven by powerful machine-learning algorithms. These algorithms start with finding the right set of users who should be exposed to your ad campaign, and then measure the effectiveness of each surface to adjust the target user profiles and budget allocations. Rest assured, these algorithms are working to give you the best possible ROI.

How do I get started?

  1. All campaigns that use auto-targeting will be universal campaigns by default. To use auto-targeting, make sure Automatic is selected for the Audience section of your campaign settings in the Dev Center dashboard.
  1. If you wish to create a manually targeted campaign, make sure you choose Universal for the Surface setting in the Audience section of your campaign.

Give it a try!  If you’ve got suggestions for how we can make these features even more useful, please let us know at Windows Developer Feedback.

Asus X541s Silver Laptop / Boxed / With Receipt

Bought in September last year , selling due too big for me partner.

Its in silver, specs:

  • Social: Basic computing on the go
  • Windows 10
  • Intel® Pentium® Processor N3710
  • RAM: 4 GB / Storage: 1 TB HDD

I changed the 1tb hdd for a samsung evo 750 250GB SSD.
If you dont fancy an SSD i have spare 500gb hdd i can put in instead.

Still have the box and receipt from Currys for warranty.
Heres link in currys:…

Asus X541s Silver Laptop / Boxed / With Receipt

Giada Mini Gaming and Media PC

Hi Guys,

I bought this about 18 months ago and only used it for about 6 months before moving house and never really finding a use for it (since I built a new gaming PC)

It is a pretty unique PC. Very small housing a ULV Haswell I7, 8GB ram, a 1tb HDD and most interestingly, a desktop spec GTX750.

To spruce it even further, I added a crucial M500 480gb Msata SSD to the vacant msata slot

Ports-wise, it has 3x USB3, 2x USB2, 2x HDMI, 1x DVI, 1x Full SD slot, 1x Lan, 1x Optical. Wifi and…

Giada Mini Gaming and Media PC