24 May 2013

Hyper-V & SCVMM – Constrained Delegation VS. CredSSP

A lot of customers I’m currently engaged in Hyper-V Projects have started their Hyper-V 2012 deployments without SCVMM. As they are trying to integrated it actually one of the most popular questions arising is:

What about SCVMM and Constrained Kerberos Delegation?

To explain the situation let’s first have a look at the following post from Aidan Finn which provides great information about the delegation problem and how to solve it.

SCVMM does not require to configure Constrained Kerberos Delegation at all, because it always uses “fresh credentials” passed via CredSSP when issuing commands and tasks. Therefore it uses pre-configured RunAs accounts or explicit credentials, where the second option is not really recommended for various reasons. This is a big enhancement especially for larger environments where you’d have to configure tons of delegations without SCVMM.

**Powershell double-hop scenarios

As mentioned above SCVMM solves the issue for you as it always issues commands remotely via WinRM on the target Hyper-V host using CredSSP.

But you might run into another issue while working with Server Manager 2012 or System Center Orchestrator, because Powershell does not allow double-hop scenarios using Kerberos delegation, but CredSSP.

Powershell Remoting supporting CredSSP was introduced with Version 2.0. CredSSP Support for WSMAN is disabled by default.

See here on how to enable it via CMDLETs or Group Policy.