Live Migration and Storage Migration Without Constrained Delegation Using PrincipalsAllowedToDelegateToAccount

  • Article

 

In my post yesterday (Remote Administration Without Constrained Delegation Using PrincipalsAllowedToDelegateToAccount) I showed how to utilize the new resource-based Kerberos constrained delegation to configure remote administration with Hyper-V over SMB.  The other place that Hyper-V requires constrained delegation for remote management is for standalone live migration as well as for storage migration.  The good news is that that the same functionality works for these scenarios as well.

Basic Configuration

In this example below we are just getting the active directory computer object for the destination Hyper-V server and then setting the PrincipalsAllowedToDelegateToAccount with the active directory computer object of the source Hyper-V server.  In the background this sets msDS-AllowedToActOnBehalfOfOtherIdentity property to an NT Security Descriptor for the Hyper-V server’s computer account.  If you wanted to live migration both directions (which typically you would) than you would need to call this a second time specifying the source/destination with the other direction.

Get-ADComputer -Filter {Name -Like "DestinationHVServer"} | Set-ADComputer -PrincipalsAllowedToDelegateToAccount (Get-ADComputer -Filter {Name -Like "SourceHVServer"})

Advanced Configuration

The function below does a much more complete job of configuration the PrincipalsAllowedToDelegateToAccount.  It adds the appropriate entries for both migration directions as well as it read’s in existing entries preserving previously configured options.

function Add-Hyper-V-LiveMigrationHosts
{
Param
(
[String[]]
$HyperVHosts
)
$HvAdObj = @()
foreach ($HvHost in $HyperVHosts)
{
$HvAdObj+= Get-ADComputer -Filter {Name -Like $HvHost} `
-Properties msDS-AllowedToActOnBehalfOfOtherIdentity
}

    for ($destinationCtr = 0; $destinationCtr -lt $HvAdObj.Count; $destinationCtr++)
{
for ($sourceCtr = 0; $sourceCtr -lt $HvAdObj.Count; $sourceCtr++)
{
if ($sourceCtr -ne $destinationCtr)
{
$deligationPrinciples = @()
foreach ($AllowedAccount in `
$HvAdObj[$destinationCtr]."msDS-AllowedToActOnBehalfOfOtherIdentity".Access)
{
$samAccountName = $AllowedAccount.IdentityReference.Value
$samAccountName = $samAccountName.Remove(0, ($samAccountName.IndexOf("\")+1))

                    $deligationPrinciples+=Get-ADComputer -Filter `
{SamAccountName -Like $samAccountName}
}

                $deligationPrinciples += $HvAdObj[$sourceCtr]
$HvAdObj[$destinationCtr] | `
Set-ADComputer -PrincipalsAllowedToDelegateToAccount $deligationPrinciples
}
}
}
}

-taylorb