-
Titel
Problems with Kerberos Athentication while connecting Hyper V -
Beschreibung
When we configure a local administrator account for the Hyper-V host (hostname\Administrator) we do get Kerberos errors. -
Ursache
Kerberos for logging on to Hyper-V can only be used in a Windows Domain context, it cannot be used for a local logon.
The next fallback in the list of authentication protocols would be NTLM, which may be undesirable.
-
Lösung
In a scenario where local logon to Hyper-V is required, like in a Disaster-Recovery scenario where no functioning Domain Controllers are available Administrators should consider configuring Hyper-V to accept the "CredSSP" authentication protocol, which is an option during installation.
To configure Hyper-V for CredSSP access, follow the below procedure:
On the Hyper-V host to be managed, open a Windows PowerShell session as Administrator.
Create the necessary firewall rules for private network zones:
Enable-PSRemotingTo allow remote access on public zones, enable firewall rules for CredSSP and WinRM:
Enable-WSManCredSSP -Role serverFor details, see Enable-PSRemoting and Enable-WSManCredSSP.
Next, configure the computer you'll use to manage the Hyper-V host.
Open a Windows PowerShell session as Administrator.
Run these commands:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "fqdn-of-hyper-v-host"Enable-WSManCredSSP -Role client -DelegateComputer "fqdn-of-hyper-v-host"You might also need to configure the following group policy:
- Computer Configuration > Administrative Templates > System > Credentials Delegation > Allow delegating fresh credentials with NTLM-only server authentication
- Click Enable and add wsman/fqdn-of-hyper-v-host.
Open Hyper-V Manager.
In the left pane, right-click Hyper-V Manager.
Click Connect to Server.
-
Weitere Informationen
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/remotely-manage-hyper-v-hosts