Resolve: Failed to establish a connection with host: the credentials supplied to the package were not recognized (0x8009030D).
When working with Hyper-V you might have the need to transfer a Virtual Machine from one host to another but might run into the following error message when trying:
“Failed to establish a connection with host ‘TARGETVMHOST’: the credentials supplied to the package were not recognized (0x8009030D). The Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available. Make sure the operation is initiated on the source host of the migration, or the source host is configured to use Kerberos for the authentication of migration connections and Constrained Delegation is enabled for the host in Active Directory.”
This is because you need to configure Kerberos delegation on your domain controller in order for the credentials supplied on one compute are able to work on another. This is necessary as Hyper-V is moving a guest virtual machine from one host to another and your credentials need to work on both hosts if you want to do a migration. Before doing a simple export/import operation would work but because the process is automated it need authentication delegation for the credentials used on one machine to work on another.
There are two main aspects that you need to do and they are hinted to in the error message:
- “Make sure the operation is initiated on the source host.” This one is pretty straight forward, the operation needs to start at the Hyper-V host which currently has the VM you wish to move.
- “make sure […] Constrained Delegation is enabled for the host in Active Directory.” This one is a bit trickier. If you are not familiar with what Constrained Delegation is. Kerberos Constrained Delegation (read more about the Kerberos protocol here) is a system through which a client can trust another client impersonating a users’ credentials. In this case, the source Hyper-V host will send a package only providing the user that executed the task and the target Hyper-V host needs to be able to trust that (no password is being sent/exchanged).
As you figured out, we are going to use Kerberos Constrained Delegation so first you need to enable it as the live migration authentication method in Hyper-V. Simply go to Go to Hyper-V settings for the host machines (source and target) and enable Live Migrations using Kerberos.
Then as hinted earlier you need to go to Active Directory and establish the trust. To do this follow these simple steps:
- Go to Active Directory Users and Computers.
- Find each Hyper-V host server you have (so at least the source and target for the current operation).
- Enter the properties and find the “Delegation” tab.
- Enable delegation (use the third option “Trust this Computer for Delegation to Specified Services Only.” This is the recommended method as plainly opening trust for everything could expose you to added unnecessary security risks. After all if a computer is trusted they could impersonate any user so if it ever becomes compromise then the attacker could use that machine to pretend to be any user on your network, hence the importance to protect the machines and restrict the services you are willing to allow delegated authentication for.
- Click the add button and make sure you add “cifs” and “Microsoft Virtual System Migration Service” for all the servers you want to migrate to/from.
And that’s it. If you have multiple DCs make sure to sync them so these settings are replicated across your enterprise.