Home > Tintri VMstore™ > Knowledge Base > Kerberos Constrained Delegation and VMstore

Kerberos Constrained Delegation and VMstore

Applies To

 

Product(s): All

Product Version(s): 3.1.1 and later

Overview

 

Applications and services using Kerberos may at times need to request that a remote service perform an authenticated network request on its behalf. This is at times referred to as a double-hop and breaks security enforced by Kerberos. Recent Active Directory versions allow administrators to make specific exceptions to allow this behaviour using something called constrained delegation. This article doesn't aim to replace any of the Microsoft Active Directory documentation on constrained delegation, but does seek to detail the Tintri VMstore specifics.

The Simple Case: Remote Hyper-V Management

Consider a case where an administrator has Hyper-V Manager on their Windows desktop client (winpc.vmlevel.com for example) and is using it to maintain a Hyper-V host (hyperv01.vmlevel.com). The credentials that the administrator logged into the Windows PC as are used to authenticate them against the Hyper-V host when using Hyper-V Manager.

 

If the Hyper-V host is configured to use an SMB share on a Tintri VMstore (vmstore01-data.vmlevel.com for example) and the administrator wishes to perform some management operation on any VM, such as starting it, the Hyper-V host will need to re-use the administrator's credentials to establish a session with the VMstore.

 

For the Hyper-V host to be allowed to pass on these credentials in a Kerberos ticket, constrained delegation must be configured or Active Directory will not issue a service ticket at all. This is done using the following steps:

  1. Locate the Hyper-V host's computer account in Active Directory.
  2. Open the Delegation tab.
  3. Select Trust this computer for delegation to specified services only (Kerberos).
  4. Select Use Kerberos Only.
  5. Add the cifs/ service principal name of the VMstore (for example, cifs/vmstore01-data.vmlevel.com).
  6. Hit OK.

This must be done for all SMB servers (including all VMstores) that this Hyper-V host will be accessing using constrained delegation.

The Complex Case: VM Migration

In the case where we have multiple Hyper-V hosts managing VMs stored on an SMB server, such as Tintri VMstore, the constrained delegation process may still apply. If the Hyper-V's VM Migration functionality is to be used, for example, constrained delegation is likely to come into play again.

 

The process for configuring constrained delegation in this case is identical to the section above. However the process must be performed for all Hyper-V hosts to allow them to use delegated credentials for all of the cifs/ services of all of the relevant VMstores.

 

You must to post a comment.
Last modified

Tags

Classifications

This page has no classifications.