Tagged: Kerberos

Kerberos double-hop with Hyper-V and File shares

This article describes how to troubleshoot and fix the errors received when trying to attach an ISOs to a Hyper-V virtual machine from a client computer running the Hyper-V management tool or a System Center Virtual Machine Manager.

The scenario would look similar to diagram below.

KerberosDelegation1

If you try and mount an ISO hosted on \\fileserver\isos\ to a virtual machine running on the Hyper-V server from management tools hosted on another server with default configuration you will see an error similar to the one below.

KerberosDelegation4

At first you may want to check permissions on the file share hosted on \\fileserver\isos\ e.g the share permissions

KerberosDelegation5

Next check the NTFS permissions; I suppose you’d look to have the Hyper-V computer accounts granted read access but I believe the account that needs access is the account of the user attaching the ISO, so I have granted domain users read access.

KerberosDelegation8

The next step to troubleshoot is authentication as the authorisation looks to be in place.

The security event log on the file server at the time I attempted to attach the ISO image shows anonymous logon from the Hyper-V server where the virtual machine is hosted.

KerberosDelegation7

This would suggest the Hyper-V host cannot forward the credentials of the user attempting to attach the ISO image. I suppose one way to prove this, would be to logon to the Hyper-V server, open the Hyper-V tools then attach the ISO, this way your credentials should be used to access the share.

So if I configure delegation on the computer accounts of the Hyper-V hosts for the file server where the share exists my user account should be forwarded to the file server.

The image below shows that the cifs services has been allowed for delegation from the Hyper-V computer accounts.

KerberosDelegation9

If I attempt to attach a ISO to a virtual machine I can see an event that shows my user account successfully authenticating and more importantly the ISO was attached without error.

KerberosDelegation10

Hopefully this helps someone else

 

Advertisements