Constrained Delegation and Hyper-V

Constrained Delegation is a topic covered elsewhere in detail. Much of it tends to be described quite abstractly, given that it applies to many services in the Microsoft ecosystem.

In this short article, we’ll talk about how it specifically applies to Hyper-V and SMB storage such as Tintri’s VMstore array.

Delegation allows exceptions to Kerberos to allow impersonation. Constrained delegation gives an administrator more granular control over how this delegation may be used.

There are two common use cases in the Hyper-V space that illustrate how constrained delegation works and why it’s necessary.

  1. Alice uses Hyper-V Manager on her Windows 10 PC to manage VMs on a Hyper-V host, where the VMs are stored on an SMB share.
  2. Bob uses Failover Cluster Manager to migrate a running VM from one Hyper-V host to another Hyper-V host, where the VM is stored on an SMB share.

In both of these cases, remote management requests are made by Alice’s and Bob’s application, as themselves, to a Hyper-V host. In order for those services on the Hyper-V hosts to make requests to the storage safely, it needs to do those on behalf of Alice or Bob — impersonation.

This can only be done for hosts and services that have been allowed to perform this delegation by an Active Directory administrator.

ConstrainedDelegation

In Alice’s case, she would:

  1. Right-click the computer account of the Hyper-V host in Active Directory Users and Computers, then
  2. Hit Properties and then find the Delegation tab.
  3. In the Delegation tab, Alice could select Trust this computer for delegation to specified services only, and Use Kerberos Only, and then
  4. Add the SMB storage array (the Tintri VMstore in her case), selecting the cifs/… service principal name(s).

When adding a storage array that the Hyper-V host may perform delegation for, she’s presented with all of the applicable services for that array. It is not necessary to add any, apart from the cifs/… service, which represents the SMB protocol service.

Bob would follow the same process for all of his Hyper-V hosts in the cluster.

 

Advertisements

One thought on “Constrained Delegation and Hyper-V

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s