[SOLVED] VMM and failover cluster – WinRM error 0x803381a4

I have deployed Storage Spaces Direct (S2D) hyper-converged solution (note: the issue is not related somehow with S2D) and added S2D cluster into VMM 2012 R2. Everything went fine, all hosts shown green status. But when I’ve tried to build highly available VM on it, I got this errror (“name” is my failover cluster name):

Error (2927) A Hardware Management error has occurred trying to contact server ‘name’ .
WinRM: URL: [htt*://name:5985], Verb: [GET], Resource: [htt*://schemas.microsoft.com/wbem/wsman/1/wmi/root/mscluster/MSCluster_ResourceGroup?Name=SCVMM wwew Resources]
Unknown error (0x803381a4)
Recommended Action Check that WinRM is installed and running on server ‘name’. For more information use the command “winrm helpmsg hresult” and htt*://support.microsoft.com/kb/2742275
Running “winrm helpmsg 0x803381a4” returns same result.

Troubleshooting steps:
1. I’ve enabled VMMTrace to get more detailed log after crash, then got this information in log:
winrm helpmsg 0x803381a4 The WinRM client cannot process the request. A computer policy does not allow the delegation of the user credentials to the target computer because the computer is not trusted. The identity of the target computer can be verified if you configure the WSMAN service to use a valid certificate using the following command: winrm set winrm/config/service @{CertificateThumbprint=””} Or you can check the Event Viewer for an event that specifies that the following SPN could not be created: WSMAN/. If you find this event, you can manually create the SPN using setspn.exe . If the SPN exists, but CredSSP cannot use Kerberos to validate the identity of the target computer and you still want to allow the delegation of the user credentials to the target computer, use gpedit.msc and look at the following policy: Comp uter Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name “myserver.domain.com”, the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com
2. The VMM, hosts and S2D cluster were reinstalled, but issue still exists.
3. Then I tried to make cross check by connecting to another host in cluster using “CredSSP” authentication. I found I can connect to the remote host using it’s FQDN, but cluster FQDN gives me error. It’s called double hop issue in Windows authentication.

Solution:
1. I’ve configured GPO settings on VMM Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication” with “”wsman/clusterFQDN” suffix
2. I ran this Powershell command on all Hyper-V hosts in the cluser “Enable-WSManCredSSP Server”
3. I ran this Powershell command on VMM “Enable-WSManCredSSP Client –DelegateComputer name (where name is Hyper-V host FQDN)

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *