In this tutorial, I’ll walk you through how to configure Live Migration on Hyper-V using Kerberos instead of CredSSP.
By default CredSSP is used for authentication during a live migration between the two hosts, which requires logging into both Hyper-V servers simultaneously.
The use of Kerberos means that you do not need to open your session on both hosts, however it is necessary to configure constrained delegation on the Computer objects in the Active Directory.
To begin, configure each Hyper-V host to use Kerberos as authentication for live migration.
In the Hyper-V settings, at the Dynamic Migrations configuration level, display advanced features and select Use Kerberos 1, Apply changes 2 and click OK 1 to close the window of parameters.
This configuration must be done on all Hyper-V servers where you will use the Dynamic Migration functionality.
Now, we will move on to configuring Kerberos delegation on Active Directory objects.
Open the Active Directory Users and Computers console and enable the advanced features view.
In the computer object properties, go to the Delegation 1 tab.
Select Trust this computer only for delegation to specified services 1 and Use Kerberos only 2 and click the Add 3 button.
A new window opens, click on the Users or computers 1 button.
Select the computer object 1 and click OK 2.
Once the object is selected, a list of services is displayed, select the cifs 1, then the Microsoft Virtual System Migration Service 2 and click on OK 3.
The services are added to the delegation, click on Apply 1 and OK 2 to save.
Repeat the operation for the other computer objects, adapting to the migration you need to do.
Once complete, you can return to the Hyper-V hosts and begin moving computers.
It may be necessary to disconnect and reconnect to the source server for the parameters to take effect.
Live migration does not work if your user account is part of the Protected Users group.