HyperV Live Migration SPNs – 442 Failed to Authenticate (0x80090303)
Good golly, I just want to move, export, or replicate a VM from one HyperV Server to another. Why is it so frustrating? Commonly received is the rror 0x80090303, meaning that a HyperV host is not allowed to make a live migration connection to another HyperV host — It must become delegated.
The reasons for why this has to be so much work (at least, per worthless Microsoft Technet articles), are beyond the scope of this article. The fix can be quick and easy. From my personal experience, I’ve only gotten CredSSP to work once after a lot of pain and agony. Kerberos through constrained delegation can work, but only if the SPNs are set correctly. Make sure both servers are joined to the same domain, and the VM to be migrated has it’s Processor expanded Compatibility Settings configured for “Migrate to a physical computer with a different process version” checked.
Delegation can be done through Active Directory Users and Computers, but then you have to get the servers to pull their new SPN settings through either a reboot or “gpupdate /force”, which even then only occasionally works.
The quick and easy fix
Take the code below, find & replace the SERVERA, SERVERB, and domain.local fields, and punch it into each server. ServerA commands entered into an administrative command prompt on Server A, and ServerB commands for Server B. By reloading the vmms service you force pull the new settings.
If you cannot find the Active Directory Attribute Editor button for “Trust this computer”, don’t worry about it, the SPNs are really what matter.
Punch in the commands, close and re-open HyperV manager on both, and give your move/export/replication another whirl.
=-=-=-=-=-=-= Hyper-V Live Migrations =-=-=-=-=-=-= Active Directory > Right-Click Machine > Properties > Delegation > Trust this computer for delegation to any service (Kerberos Only) For SERVERA setspn -S "Hyper-V Replica Service/SERVERA" SERVERA setspn -S "Hyper-V Replica Service/SERVERA.domain.local" SERVERA setspn -S "Microsoft Virtual Console Service/SERVERA" SERVERA setspn -S "Microsoft Virtual Console Service/SERVERA.domain.local" SERVERA setspn -S "Microsoft Virtual System Migration Service/SERVERA" SERVERA setspn -S "Microsoft Virtual System Migration Service/SERVERA.domain.local" SERVERA net stop vmms && net start vmms ---- For SERVER B setspn -S "Hyper-V Replica Service/SERVERB" SERVERB setspn -S "Hyper-V Replica Service/SERVERB.domain.local" SERVERB Setspn -S "Microsoft Virtual Console Service/SERVERB" SERVERB setspn -S "Microsoft Virtual Console Service/SERVERB.domain.local" SERVERB setspn -S "Microsoft Virtual System Migration Service/SERVERB" SERVERB setspn -S "Microsoft Virtual System Migration Service/SERVERB.domain.local" SERVERB net stop vmms && net start vmms