Tag Archives: live migration

Live Migration via Constrained Delegation with Kerberos in Windows Server 2016


Many Hyper-V customers have run into new challenges when trying to use constrained delegation with Kerberos to Live Migrate VMs in Windows Server 2016.  When attempting to migrate, they would see errors with messages like “no credentials are available in the security package,” or “the Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available.”  After investigating, we have determined the root cause of the issue and have updated guidance for how to configure constrained delegation.

Fixing This Issue

Resolving this issue is a simple configuration change in Active Directory.  In the following dialog, select “use any authentication protocol” instead of “use Kerberos only.”


Root Cause

Warning: the next two sections go a bit deep into the internal workings of Hyper-V.

The root cause of this issue is an under the hood change in Hyper-V remoting.  Between Windows Server 2012R2 and Windows Server 2016, we shifted from using the Hyper-V WMI Provider *v1* over *DCOM* to the Hyper-V WMI Provider *v2* over *WinRM*.  This is a good thing: it unifies Hyper-V remoting with other Windows remoting tools (e.g. PowerShell Remoting).  This change matters for constrained delegation because:

  1. WinRM runs as NETWORK SERVICE, while the Virtual Machine Management Service (VMMS) runs as SYSTEM.
  2. The way WinRM does inbound authentication stores the nice, forwardable Kerberos ticket in a location that is unavailable to NETWORK SERVICE.

The net result is the WinRM cannot access the forwardable Kerberos ticket, and the Live Migration fails on Windows Server 2016.  After exploring possible solutions, the best (and fastest) option here is to change the configuration to enable “protocol transition” by changing the constrained delegation configuration as above.

How does this impact security?

You may think this approach is less secure, but in practice, the impact is debatable.

When Kerberos Constrained Delegation (KCD) is configured to “use Kerberos only,” the system performing delegation must possess a Kerberos service ticket from the delegated user as evidence that it is acting on behalf of that user.  By switching KCD to “use any authentication protocol”, that requirement is relaxed such that a service ticket acquired via Kerberos S4U logon is acceptable.  This means that the delegating service is able to delegate an account without direct involvement of the account owner.  While enabling the use of any protocol — often referred to as “protocol transition” — is nominally less secure for this reason, the difference is marginal due to the fact that the disabling of protocol transition provides no security promise.  Single-sign-on authentication between systems sharing a domain network is simply too ubiquitous to treat an inbound service ticket as proof of anything.  With or without protocol transition, the only secure way to limit the accounts that the service is permitted to delegate is to mark those accounts with the “account is sensitive and cannot be delegated” bit.


We’re working on modifying our documentation to reflect this change.

John Slack
Hyper-V Team PM

42 Best Practices for Balanced Hyper-V Systems

Last year, Nirmal Sharma wrote a fantastic article on this blog titled 23 Best Practices to improve Hyper-V and VM Performance. This sparked up a very lively discussion in the comments section; some were very strongly in favor of some items, some very strongly opposed to others. What I think was perhaps missed in some of these comments was that, as Nirmal stated in the title, his list was specifically “to improve Hyper-V and VM performance.” If squeezing every last drop of horsepower out of your Hyper-V host is your goal, then it’s pretty hard to find any serious flaws with his list. Just cause a Group can be brought to consensus, does not make them right. Assess the Risks of being wrong before proceeding on their say so. — guy w wallace (@guywwallace) February 27, 2015 As you probably know, or can at least guess, I’m not the biggest fan… Read More»

Original post link: 42 Best Practices for Balanced Hyper-V Systems

The post 42 Best Practices for Balanced Hyper-V Systems appeared first on Hyper-V Hub – Altaro’s Microsoft Hyper-V blog.

Looking Forward to Hyper-V in Server 10

New year, new products! Some time in 2015, we’re all going to be graced with the newest edition of Windows and Windows Server, and along with them, Hyper-V. I wish I had a slick code name to give you, like “Viridian”, but it seems like most in-progress Microsoft products are now just code-named “vNext”. I’ve…

Original post link: Looking Forward to Hyper-V in Server 10

The post Looking Forward to Hyper-V in Server 10 appeared first on Hyper-V Hub – Altaro’s Microsoft Hyper-V blog.