Hyper-V VMMS fails to register SPN when NTDS port restriction is configured on the domain controller

Se aplica a: Windows Server 2016

Symptoms


Consider the following scenario:

  • You have a domain-joined Hyper-V server that is running Windows Server 2016 or a later version of Windows Server.
  • You have configured the domain controllers to have an NTDS port restriction by setting the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry value: TCP/IP PortValue type: REG_DWORDValue data: (available port)
  • The TCP port that's configured in this registry path is set to a port number that is not in the default dynamic port range (from 49152 to 65535).

In this scenario, the Hyper-V Virtual Machine Management Service (VMMS) fails to register the Service Principal Names (SPNs).

For example, the following list shows SPNs for a server that's named “Hyper1” in a domain that's named “contoso.com”:


These SPNs are required for many of the Hyper-V and High Availability features.

Note The Microsoft-Windows-Hyper-V-VMMS-Admin log shows error event 14050:

Cause


This issue occurs because the Hyper-V VMMS service uses Windows service hardening. By default, the service is restricted to the dynamic port range (49152 through 65535).

When the VMMS tries to reach the domain controller through an NTDS port that is not in this range, the SPN registration fails.

If security auditing for “Filtering Platform Packet Drop” is enabled, “Audit Failure” event 5152 is also logged when this issue occurs:


Note The following command can be used to enable logging for "Audit Failure":

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:enable

Resolution


To fix the issue, use one of the following methods.

Method 1 

Remove the NTDS TCP port restriction, and then revert to the configuration that uses the default dynamic port range.

Method 2

Change the currently configured NTDS TCP-restricted port to a port number that's within the default dynamic range.

Method 3

Add an outgoing rule for the restricted NTDS port (23456 in the following example) on each Hyper-V host. To do this, follow these steps:

  1. Start a text editor, such as Notepad.
  2. Copy the following code, and then paste the code into the text file:
    '================================================'This VBScript adds the port 23456 for outgoing traffic  'run as cscript addportrange.vbs on the Hyper-V hostoption explicit'IP protocolsconst NET_FW_IP_PROTOCOL_TCP = 6const NET_FW_IP_PROTOCOL_UDP = 17'Actionconst NET_FW_ACTION_BLOCK = 0const NET_FW_ACTION_ALLOW = 1'Directionconst NET_FW_RULE_DIR_IN = 1const NET_FW_RULE_DIR_OUT = 2'Create the FwPolicy2 object.Dim fwPolicy2Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")'Get the Service Restriction object for the local firewall policy.Dim ServiceRestrictionSet ServiceRestriction = fwPolicy2.ServiceRestriction'If the service requires sending/receiving certain type of traffic, then add "allow" WSH rules as follows'Get the collection of Windows Service Hardening networking rulesDim wshRulesSet wshRules = ServiceRestriction.Rules'Add outbound WSH allow rulesDim NewOutboundRuleSet NewOutboundRule = CreateObject("HNetCfg.FWRule")NewOutboundRule.Name = "Allow outbound traffic from VMMS service to TCP 23456"NewOutboundRule.ApplicationName = "%systemDrive%\WINDOWS\system32\vmms.exe"NewOutboundRule.ServiceName = "vmms"NewOutboundRule.Protocol = NET_FW_IP_PROTOCOL_TCPNewOutboundRule.RemotePorts = "23456"NewOutboundRule.Action = NET_FW_ACTION_ALLOWNewOutboundRule.Direction = NET_FW_RULE_DIR_OUTNewOutboundRule.Enabled = truewshRules.Add NewOutboundRule'end of script'================================================
  3. Save the file as "Addportrange.vbs".
  4. Run the script as cscript on the Hyper-V host.

Note You can also use PowerShell to add the outgoing traffic exception, as follows:

(New-Object -ComObject HNetCfg.FwPolicy2).ServiceRestriction.RulesGet-NetFirewallRule -PolicyStore ConfigurableServiceStore$Rule = @{    DisplayName = "Allow outbound traffic from VMMS service to TCP 23456"    Direction = "Outbound"    InterfaceType = "Any"    Action =  "Allow"    Protocol =  "TCP"    Service = "vmms"    Program = "$($env:systemdrive)\WINDOWS\system32\vmms.exe"    Enabled = "TRUE"    RemotePort = "23456"    PolicyStore = "ConfigurableServiceStore"}New-NetFirewallRule @Rule