Authentication and authorization problems in System Center Virtual Machine Manager

Article ID: 2961630 - View products that this article applies to.
Expand all | Collapse all

Symptoms

You may encounter various problems with Microsoft System Center Virtual Machine Manager 2008 (VMM 2008) or System Center 2012 Virtual Machine Manager (VMM 2012) that are related to authentication and authorization if the required service principal names (SPNs) are missing or incorrect.

Cause

This can occur if the missing or incorrect Service Principal Names (SPNs) cause delegation to fail.

Resolution

To resolve this issue, you can use the setspn command to check for duplicate SPNs and to create missing SPNs if this is necessary.

Note Not all SPNs may be required. The requirements will vary based on the server roles that are installed.

For Virtual Console Support for Hyper-V Hosts (VMConnect.exe), the following SPNs are required on Hyper-V hosts:

setspn -s computername "Microsoft Virtual Console Service/hostname"setspn -s computername "Microsoft Virtual Console Service/hostname.fqdn.etc"For P2V support, the following SPNs are required:setspn -s computername "Microsoft Virtual System Migration Service/hostname.fqdn.etc"setspn -s computername "Microsoft Virtual System Migration Service/hostname"

For Microsoft Virtual Server 2005 hosts and the VMRC utility, the following SPNs are required:

setspn -s computername vmrc/hostname.fqdn.etc:5900setspn -s computername vmrc/hostname:5900setspn -s computername vssrvc/hostname.fqdn.etcsetspn -s computername vssrvc/hostname

For RDP support, the following SPNs are required:

setspn -s computername TERMSRV/hostname.fqdn.etcsetspn -s computername TERMSRV/hostname

For the host, the following SPNs are required:

setspn -s computername HOST/hostnamesetspn -s computername HOST/hostname.fqdn.etc

For HTTP, the following SPNs may be needed for authentication on SSP if the VMM server is using Remote SQL:

setspn -s computername HTTP/hostname.fqdn.etcsetspn -s computername HTTP/hostname

For SQL, requirements depend on port and instance type.



For a named instance, the following SPNs are required:

setspn -s computername MSSQLSvc/hostname.fqdn.etc:Portsetspn -s computername MSSQLSvc/hostname.fqdn.etc:InstanceName

For a default instance, the following SPNs are required:

setspn -s computername MSSQLSvc/hostname:1433setspn -s computername MSSQLSvc/hostname.fqdn.etc:1433

More information

For more information see the following resources:

How to Implement Kerberos Constrained Delegation with SQL Server 2008: http://msdn.microsoft.com/en-us/library/ee191523.aspx

How to use SPNs when you configure web applications that are hosted on Internet Information Services: http://support.microsoft.com/kb/929650
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2961630 - Last Review: April 18, 2014 - Revision: 1.0
Applies to
  • Microsoft System Center Virtual Machine Manager 2008
  • Microsoft System Center Virtual Machine Manager 2008 R2 Workgroup Edition
  • Microsoft System Center Virtual Machine Manager 2008 Workgroup Edition
  • Microsoft System Center 2012 R2 Virtual Machine Manager
Keywords: 
KB2961630

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com