Hyper-v cluster permission problems

Question

Hyper-v cluster permission problems

Jon Marshall 81

I have a test setup with two hypervisors running hyper-v and using failover cluster manager (FCM) and a windows storage server sharing out an SMB share for the cluster storage. I have rebuilt this twice and am still seeing the same issue.

If I am logged in to hypervisor1 and within hyper-v manager or FCM I create a VM on that hypervisor everything works as expected. The VM is created, works fine and in addition I can live migrate it to the other hypervisor within FCM and again everything works fine.

If I am logged in to hypervisor1 and try to create a VM on the other hypervisor either from hyper-v manager or FCM it fails with permission issues. Event viewer is saying the domain admin user (who is the owner of the share) cannot create the directories for the VM with a general access denied error (0x80070005). That user has full control on the SMB share and if I temporarily map that share to each hypervisor I can create folders etc. on it.

We have clusters using iSCSI with MPIO as the storage and we do not see this problem so it is definitely some windows permission issue but I cannot work out what additional permissions are needed to make this work.

The SMB share itself has full control to that account, the hypervisor computer accounts and the cluster computer account.

Any help, pointers would be much appreciated.

Accepted answer

1 additional answer

Your answer

Answer 1

Eric Siron 1,586 MVP

You need to configure constrained delegation. There is a lot of documentation in the world on this, so I recommend searching "constrained delegation" and reading whatever links make the most sense to you. You specifically need to configure constrained delegation for SMB (shows as CIFS in the UI). This is not precisely a permissions issue. You're using your account to tell a remote computer to do something on a third computer. That's a potential security risk, as the second computer needs to use your credentials without you specifically logging on to it. So, you configure delegation to override. Microsoft has a PowerShell script to help you do this relatively easily. Read through the examples.

Jon Marshall 81 Reputation points

2024-01-11T19:11:06.34+00:00

Eric I ran that script and it has indeed solved the problem so thanks very much for that link.

What I can't work out is what exactly it has added as I expected to see delegation configured under the computer account tabs but there is no delegation configured there so not sure where the changes have been made.

Perhaps I need to do a bit more reading to understand what has been changed but at least it is working now.
Eric Siron 1,586 Reputation points MVP

2024-01-12T14:46:53.0233333+00:00

I don't know the precise mechanisms, but it alters the Active Directory property "msDS-AllowedToDelegateTo" which then appears in the Kerberos ticket.

Answer 2

Jon Marshall 81

Eric Funnily enough I was just looking at Kerberos double hopping as I thought that may be an issue but we did add delegation to the lab yesterday for CIFS and it made absolutely no difference. So I am assuming we didn't add it correctly.

Thanks for the link to the script, I'll run it and then see what it adds, retest and then come back here and update.

Share via

Hyper-v cluster permission problems

1 additional answer

Your answer