During some more playing around on my server I decided to install some remote desktop services that subsequently hosed my VM host. After fixing the issues so I could at least get into my VM’s, I?then?started running into auth issues in SCVMM (system center virtual machine manager). The first problem was a constant requirement for me to enter my password for each VM. If I clicked a VM in SCVMM it popped up asking for my user and complaining that the systems?administrator?does not allow cached credentials. Wait, but I’m the sys admin and of?course?I allow my own cached credentials. Silly server. This was a fairly easy fix after hunting around in the local group policy, here are the steps to resolve it.
1. Open gpedit.msc (local group policy, NOT the domain GPO).
2. Navigate to Computer Config –>?Administrative?Templates –> System –> Credentials Delegation.
3. Enable each one of these and configure. To configure, first enable and then click on the show button and add a * to the list for any computer, or you can add your remote machine name or host server name depending on how you connect to SCVMM and your security requirements.
- Allow delegating default credentials with NTLM-only server Authentication
- Allow delegating fresh credentials with NTLM-only server Authentication
- Allow delegating saved credentials with NTLM-only server Authentication
- Allow delegating default credentials
- Allow delegating fresh credentials
- Allow delegating saved credentials
4. After those are enabled run a gpupdate /force on the host and restart SCVMM console, voila no more credentials warnings.
Yay, that’s fixed but this immediately led to a new problem, now every time I clicked on a VM in SCVMM it told me it could not authenticate because of a bad cert. Somewhere along the line a new cert was created for the host. This was really easy to fix as well since the error told me exactly what to do. When I viewed the cert it said to add it to the trusted CA root, so I noted the expiration date and then loaded up certificates, exported it, and added it into the trusted CA root. Here’s how.
1. When you get the error, click on view certificate and note the expiration date and issued to so it is easier to find.
2. Run MMC and load the certificates snapin.
3. Click on personal certificates and export the cert with the matching expiration date and issued to name. Export it as a PFX so it includes the private key and use a password. (You have to since you’re exporting the private key, I mean anyone could get that cert and then auth as you and even on a test server in a basement at home this could be bad 😛 )
4. Import the cert into the Trusted Root Certificates Authorities.
5. Restart SCVMM console and voila no cert warnings, can remote connect and view VM’s.