Windows Server 8 brings support for storing and running Hyper-V virtual machines on SMB2.2 file shares, which is pretty handy, especially with the new Scale-Out/Continuously Available file server features in Windows Server 8. However it does bring one challenge to the table – if you want to remotely manage your Hyper-V servers and use SMB then Kerberos's single hop tickets become a problem.
The basic issue is that when you login to a domain and want to access a remote machine the domain issues a security token which is presented to the remote server to saying who you are and what not – however just like a concert ticket once it’s scanned at the door it’s no good. This means that in the case of Hyper-V remote management your token is only valid between the computer running the UI and the Hyper-V server so if/when you try to configure a virtual machine to use resources on a third computer there is no longer a valid token to ensure that you, the person configuring that virtual machine, should have access to the resources on the third machine. Now once the VM has been configured the remote resources are accessed in the context of the Hyper-V servers computer account but during virtual machine creation or when attaching VHDs/ISOs to the VM we have to ensure that the user that’s performing that operation also has access to those resource and isn’t just piggy backing on the Hyper-V servers rights to access those files.
In order to solve this challenge we need to enable constrained delegation which tells active directory that between two computers, in this case the Hyper-V server and the SMB server, and for specific services, in this case CIFS/SMB, its allowed to effectively re-issue the token for the user – kind of like a re-admission stamp. For the examples below let’s take an environment similar to this – we have a two node Windows Server 8 Scale-Out file server cluster, two standalone Hyper-V Servers and a remote management workstation. In this environment we want to create an SMB share and then create a new VM on that share. If we just create the SMB share and try to create a virtual machine on that share creating the VM will fail with access denied or the operation has failed errors – so we have to configure the security and delegation.
Please be aware that Hyper-V on Windows Server 2008 or R2 does not support virtual machines using SMB or any NAS storage – this is a new feature for Windows Server 8 and requires that the the SMB server support SMB 2.2. See http://technet.microsoft.com/en-us/library/dd183729.aspx for more details.
For Each Hyper-V Server…
These steps are specific to Windows 8 Consumer Preview (Beta) – if you are using a different OS the pertinent steps are 7.2, 7.3, 8.2, 8.3
I would like to thank Jose Barreto – his blog post Using Constrained Delegation to remotely manage a server running Hyper-V that uses CIFS/SMB file shares gives a great overview of this process as well.
Taylor Brown Hyper-V Enterprise Deployment Team firstname.lastname@example.org http://blogs.msdn.com/taylorb