question

Raghavendrachar avatar image
0 Votes"
Raghavendrachar asked Yash-7714 edited

Azure Stack HCI - CredSSP Issue

Hi All,

I'm unable to proceed further with cluster creation in Azure Stack HCI solution. Validation Fails asking about CredSSP.
Can you please let me know how to move forward?

Message

Could not validate cluster. Error: Connecting to remote server dut3251.s2d.local failed with the following error message : The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service '@{CertificateThumbprint="<thumbprint>"}' Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/<computerFQDN>. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. Try the request again after these changes. For more information, see the about_Remote_Troubleshooting Help topic.

azure-stack-hci
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DuaneBourgeois-5120 avatar image
0 Votes"
DuaneBourgeois-5120 answered

Were your hosts domain joined prior or did you use WAC to join the servers to the domain? If you run "setspn -L <hostname> from PowerShell on the WAC machine, do you see WSMAN entries in the results? If not, try restarting the WSMAN service on each host and try again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yash-7714 avatar image
0 Votes"
Yash-7714 answered

Hi @Raghavendrachar and @DuaneBourgeois-5120

setspn -L <hostname> is returning WSMAN entries but my cluster registration is still failing with the same error as above.

Any help would be appreciated.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RandyRandolf-9431 avatar image
0 Votes"
RandyRandolf-9431 answered

So you want to use CredSSP for Livemigration or Kerberos ?

And did you configure the delegation options in the AD-Objects of the Hosts ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yash-7714 avatar image
0 Votes"
Yash-7714 answered Yash-7714 edited

Hi @RandyRandolf-9431

We have deployed a Azure stack HCI cluster and now we are trying to register the cluster with Azure but that process is failing with following error


[hci01.exampledomain.com]: PS C:\Users\Administrator.exampledomain\Documents> Register-AzStackHCI -SubscriptionId XXXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX -ComputerName HCI01.XXXXXXX.com


Register-AzStackHCI : Connecting to remote server HCI01.exampledomain.com failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030e occurred
while using Kerberos authentication: A specified logon session does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OperationStopped: (:) [Write-Error], PSRemotingTransportException
+ FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingTransportException,Register-AzStackHCI

Exception occured in Register-AzStackHCI : At C:\Program Files\WindowsPowerShell\Modules\Az.StackHCI\0.8.0\Az.StackHCI.psm1:1947 char:39
+ ... $clusterNodeSession = New-PSSession -ComputerName $ComputerName
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Register-AzStackHCI

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.