Kerberos double-hop with Hyper-V and File shares
This article describes how to troubleshoot and fix the errors received when trying to attach an ISOs to a Hyper-V virtual machine from a client computer running the Hyper-V management tool or a System Center Virtual Machine Manager.
The scenario would look similar to diagram below.
If you try and mount an ISO hosted on \\fileserver\isos\ to a virtual machine running on the Hyper-V server from management tools hosted on another server with default configuration you will see an error similar to the one below.
At first you may want to check permissions on the file share hosted on \\fileserver\isos\ e.g the share permissions
Next check the NTFS permissions; I suppose you’d look to have the Hyper-V computer accounts granted read access but I believe the account that needs access is the account of the user attaching the ISO, so I have granted domain users read access.
The next step to troubleshoot is authentication as the authorisation looks to be in place.
The security event log on the file server at the time I attempted to attach the ISO image shows anonymous logon from the Hyper-V server where the virtual machine is hosted.
This would suggest the Hyper-V host cannot forward the credentials of the user attempting to attach the ISO image. I suppose one way to prove this, would be to logon to the Hyper-V server, open the Hyper-V tools then attach the ISO, this way your credentials should be used to access the share.
So if I configure delegation on the computer accounts of the Hyper-V hosts for the file server where the share exists my user account should be forwarded to the file server.
The image below shows that the cifs services has been allowed for delegation from the Hyper-V computer accounts.
If I attempt to attach a ISO to a virtual machine I can see an event that shows my user account successfully authenticating and more importantly the ISO was attached without error.
Hopefully this helps someone else
i’ve had a lot of luck just adding the computer object to the acl for the folder containing the ISO files, such as HVS$ for the server named HVS
What I’m getting at in the article is managing the virtual machines from a client machine with the Hyper-V tools installed or from a server with SC VMM installed not from the Hyper-V server itself.