Home > Hyper-V, SCVMM, Virtualization > SCVMM: Service Principal Names (SPNs) Required for Proper SCVMM 2008 Functionality

SCVMM: Service Principal Names (SPNs) Required for Proper SCVMM 2008 Functionality


SCVMM 2008, 2008 R2, as well as future versions of SCVMM rely on kerberos and kerberos delegation functionality for its security and authentication model. You may encounter various problems with SCVMM related to authentication and authorization if the underlying platform service principal names (SPNs) are not properly set.

There are all sorts of problems ranging from console authentication, to SQL access, or even host access for the purposes of accessing virtual machines managed by SCVMM. All of these problems cann be caused when delegation is failing possibly due to incorrect or missing SPNs (Service Principal Names.)
 
The resolution is to verify and correct any configuration issues with kerberos delegation, often correcting problems related to SPNs not being registered – or even duplicate SPNs.
 
You can use the SETSPN command to check for duplicate SPNs and to create missing ones if needed. Please note not all SPNs may be required as that will vary based on what server roles are installed. SETSPN is a default external command in both Windows Server 2008 and 2008 R2. For Windows Server 2003, I would recommend downloading the SETSPN update for Windows Server 2003. More information and download links are found here:
 
 
The following list below lists all of the SPNs that may be required relating to their corresponding components. Since SCVMM is a management interface that sits on top of so many different platform components, incomplete or improper delegation at these component layers will cause problems in SCVMM functionality.
 
Hyper-V Virtual Consoles:

For Virtual Console Support for Hyper-V Hosts (VMCONNECT.EXE) – This will be required on Hyper-V Hosts. Use the following command to set and verify SPNs.

setspn -s "Microsoft Virtual Console Service/HOSTNAME" computername 
setspn -s "Microsoft Virtual Console Service/hostname.fqdn.etc" computername 

For P2V Support.

Use the following command to set and verify SPNs.

setspn -s "Microsoft Virtual System Migration Service/hostname.fqdn.etc" computername 
setspn -s "Microsoft Virtual System Migration Service/hostname" computername 

 For VS2005 Hosts and the VMRC utility

– This will be required on Virtual Server 2005 Hosts. Use the following command to set and verify SPNs.

setspn -s vmrc/hostname.fqdn.etc:5900 computername 
setspn -s vmrc/hostname:5900 computername 
setspn -s vssrvc/hostname.fqdn.etc computername 
setspn -s vssrvc/hostname computername 

For RDP Support.

Use the following command to set and verify SPNs.

setspn -s TERMSRV/hostname.fqdn.etc computername 
setspn -s TERMSRV/hostname computername 

 For all Hosts.

Use the following command to set and verify SPNs.

 setspn -s HOST/hostname computername 
setspn -s HOST/hostname.fqdn.etc computername 

 HTTP (may needed for authentication on SSP if VMM server is using Remote SQL.)

Use the following command to set and verify SPNs.

setspn -s HTTP/hostname.fqdn.etc computername 
setspn -s HTTP/hostname computername 

 SQL VMM Database

Depends on port and instance type: 

Named Instance.

Use the following command to set and verify SPNs.

 setspn -s MSSQLSvc/hostname.fqdn.etc:Port computername

setspn -s MSSQLSvc/hostname.fqdn.etc:InstanceName computername 

 Default Instance.

Use the following command to set and verify SPNs.

setspn -s MSSQLSvc/hostname:1433 computername 
setspn -s MSSQLSvc/hostname.fqdn.etc:1433 computername 
 

Here are some links to some excellent articles:

  1. May 19, 2011 at 1:45 pm

    I do not even know the way I finished up here, however I thought this submit was good. I don’t know who you’re however definitely you’re going to a famous blogger for those who aren’t already😉 Cheers!

  2. May 25, 2011 at 2:13 pm

    That’s an appealing stance you took. When I look at the title, I right away had a disagreement of opinion, but I do see your side.

  3. May 30, 2011 at 2:23 pm

    Thanks for the post I actually learned something from it. Very good content on this site Always looking forward to new post.

  4. Davy Pierson
    June 2, 2011 at 5:00 pm

    Also check if the computer accounts of the VMM server have child objects of class Service-Connection-Point. Manually creating these objects as they were in the lab solved a big problem where I could only use the console locally on the VMM server.
    And if you come by a string like 02024-110-8022126-75718, this is the product id of your installation and you can find it with powershell command get-vmmserver localhost

    Hope this helps,
    Davy

  5. February 11, 2013 at 2:47 pm

    Yes! Finally something about square d qo.

  6. February 19, 2013 at 11:44 am

    Your SETSPN example code is not correct
    setspn -s “Microsoft Virtual Console Service/HOSTNAME” computername
    is the correct syntax
    The target computer account needs to be at the end of the line
    But thanks for pointing me in the right direction.

  7. August 8, 2013 at 6:10 am

    What’s up mates, pleasant article and good arguments commented here, I am really enjoying by these.

  8. April 3, 2014 at 3:16 pm

    Order of syntax corrected. Please note this was written to apply to older versions of the product. Current users of SCVMM should really be using SCVMM 2012 R2 or later at this point.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: