The service principle name (SPN) for Virtual Server could not be registered, so Kerberos authentication cannot be used for users accessing virtual machines by using the Virtual Machine Remote Control (VMRC) client. This may be because the computer running Virtual Server cannot access the domain controller or because Virtual Server was installed on a domain controller. If VMRC is configured to allow it, users will be authenticated by using NTLM authentication rather than Kerberos. If NTLM is not allowed, then users will not be able to access virtual machines by using the VMRC client.
The service principle name (SPN) for Virtual Server could not be registered because the computer running Virtual Server cannot access the domain controller or because Virtual Server was installed on a domain controller.
If you want to use Kerberos authentication for VMRC, then you need to do the following:
1. Ensure that the computer running Virtual Server is connected to the domain and that the domain controller is functioning.
2. If Virtual Server is installed on a domain controller, you will need to manually configure the SPN for Virtual Server, as follows:
a. From a command line on the domain controller, type "adsiedit.msc".
b. Expand Domain [domain_name], expand DC=[domain_controller], and then expand OU=Domain Controllers.
c. Right-click the domain controller on which Virtual Server is installed, and click Properties.
d. In Attributes, click servicePrincipleName, and then click Edit.
e. In Value to add, type "vssrvc/domain_controller" and click Add.
f. In Value to add, type "vssrvc/FQDN," click Add, and then click OK twice.
Notes
You must be a domain administrator to perform this task.
For domain_controller, use the NetBios name of the domain controller.
For FQDN, use the fully qualified domain name of the domain controller. Example: domain_controller.domain_name.com.
For more information about configuring VMRC authentication, see the topic on configuring Virtual Machine Remote Control in the <EM>Virtual Server 2005 Administrator’s Guide.
Virtual Server 2005 Administrator's Guide, available at http://go.microsoft.com/fwlink/?LinkID=27540
Sample Events
The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication.
Target | Microsoft.Virtualization.VirtualServer.2005R2.VMHost | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Virtual Server |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Virtualization.VirtualServer.2005R2.VMRC_Service_principal_name_SPN_could_not_be_regiestered.rule" Enabled="true" Target="Microsoft.Virtualization.VirtualServer.2005R2.VMHost">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Virtual Server</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Virtual Server</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventCategory</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>5</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>^(1031|1032)$</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Virtualization.VirtualServer.2005R2.VMRC_Service_principal_name_SPN_could_not_be_regiestered_Rule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>