- AccessChk: View effective permissions on files and folders - Thu, Apr 13 2023
- Read NTFS permissions: View read, write, and deny access information with AccessEnum - Wed, Mar 29 2023
- Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023
One of our customers, a small business owner, asked us to replace his current server. There was an old installation of Windows Server 2008 R2 installed directly on the server. Of course, we immediately decided to use the free Hyper-V Server offered by Microsoft, and utilize the two VM virtualization rights included in the Windows 2019 Standard license. For security reasons, the first VM would be used to host the domain controller and other core services, and the second VM would host file, print, and other user services.
First, I read a post here on 4sysops written by Wolfgang about the features and limitations of the free Hyper-V Server 2019. His post mentioned there is no Hyper-V Manager. At that point, I was thinking, "How am I going to manage the hypervisor? I don't really want to do everything by PowerShell or via the Windows Admin Center!"
While it is true that the Hyper-V Manager is not included in the free Hyper-V Server installation, as the installation is a Server Core version, you can still use the Hyper-V Manager installed on your Windows 10 machine and connect remotely. If you don't have Hyper-V Manager installed yet, go to Programs and Features > Turn Windows features on or off and enable Hyper-V Management Tools.
So I installed the hypervisor and did basic network configuration. At this point, as this was the first server available in my environment, I had no Active Directory domain available. The Hyper-V Server was a WORKGROUP member. Next, I opened Hyper-V Manager on my Windows 10 machine and selected Connect to Server…
Connecting to the server in Hyper V Manager
Note that I used the short NetBIOS name "HVTEST" and selected Connect as another user. Once I entered the credentials and confirmed, I was prompted to Enable delegation of user credentials.
Enable delegation of user credentials
At this point, I was asked to delegate credentials to an FQDN "HVTEST.local" instead of just "HVTEST." After I clicked Yes, the following error message was returned: "Delegation of credentials to the server "HVTEST" could not be enabled."
Delegation of credentials to the server could not be enabled
The message also said that administrator privileges are required to enable CredSSP.
At this point, I started to search for advice on the internet. I found multiple articles. Some of them contained totally misleading information, such as modifying COM object security settings. Others, like the one in Microsoft documentation, did not contain very specific details or contained extra steps that were unnecessary. That's why I dove deep into this topic and got everything tested for you. In this post, you will find the exact steps needed to make things work.
Enable PowerShell remoting
The first step in the MS documentation is to enable PowerShell remoting on both Hyper-V server and Windows 10. But hold on a second—my Hyper-V console shows that remote management is already enabled.
Hyper V Server console
It is important to mention here that after you install the Hyper-V Server, the network profile is set to Public and Remoting is still enabled.
Hyper V Server network profile
If you would try to enable PowerShell remoting on a Windows 10 machine with a Public profile set, it will fail.
Enable PSRemoting on Windows 10 with Public network profile
So I only enable remoting on my Windows 10 machine:
Enable-PSRemoting
Enable CredSSP authentication
The next step is to enable CredSSP on my Hyper-V server.
Enable-WSManCredSSP –Role Server
Next, since I am still in a workgroup, I need to add my Hyper-V server to the TrustedHosts list on my Windows 10 machine.
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "HVTEST"
I also need to enable CredSSP on my Windows 10 machine.
Enable-WSManCredSSP -Role client -DelegateComputer "HVTEST"
Modifying the local group policy
The last step to fix this issue is to modify credential delegation settings in the local group policy. In the Local Group Policy Editor (gpedit.msc), go to Computer Configuration > Administrative Templates > System > Credentials Delegation. Here you may notice that Allow delegating fresh credentials is already enabled.
Allow delegating fresh credentials
This was actually configured by the Enable-WsManCredSSP command we executed. Note that two values were added – wsman/HVTEST and wsman/HVTEST.local.
I also have to enable these values for the Allow delegating fresh credentials with NTLM-only server authentication to my host option.
Allow delegating fresh credentials with NTLM only server authentication
Note that it also works if I add only wsman/HVTEST.local, but will not work if I add only wsman/HVTEST.
That's it. Now I can manage my free Hyper-V Server Core with the Hyper-V Manager in a workgroup.
Hyper V Manager is finally working
Adding the Hyper-V Server Core to the domain
If you already have Active Directory available, it is a completely different thing. Simply join the Hyper-V Server to your domain (option 1 in the Hyper-V Server console) and you are free to use the Hyper-V Manager with no further configuration. Watch out for two things—correct time settings on your Hyper-V Server and a proper DNS record available for your host. Kerberos authentication does not like incorrect time configuration and cannot be used with the IP address.
Subscribe to 4sysops newsletter!
Conclusion
I really like the free Hyper-V Server offered by Microsoft as I can deploy it for my customers and fully utilize their hardware. As you can see, when you download and install the free Hyper-V Server Core, it might be a little tricky to connect to it with the Hyper-V Manager, especially if you have no domain available yet. I hope this article helped you to solve this issue with the fewest possible configuration steps. This procedure also applies to both Hyper-V Server 2016/2019 and Hyper-V Server with GUI installation.
Perfect thank you. I was missing the .local on the Trusted Hosts and CredSSP entries.
Yes FQDN is the key here 🙂 Thanks for possitive feedback.
WOW!
Great article – thanks 🙂
It was the clearest and most well-explained guide I found, for setting up the remoting and creds configurations when trying to connect in a home Win10 environment.
Its such a convoluted process for something seemingly so simple.
Thanks! Happy it helped.
wow.. can’t believe this actually worked.. the ” Allow delegating fresh credentials with NTLM-only server authentication to my host ” part did the trick for me.
Great to see the post helped you too .)
Great thanks alot its working for me
Excellent, works like a charm.
This is the clean way to connect to a Hyper-V servert without a domain environment in a workgroup network.
The other articles in the net are misleading, confusing, or just wrong. After 2 days of struggling I`ve foud your post and it was 2 minutes to make it work, Thank you!
Im glad it helped 🙂
Hi Leos,
exceptional deep diving in a complex topic. I lost 4 days with different success, but now it is all crystal clear. Great work well done!
It helped me, to add my 2016 core Server IP and Bios name into the hosts file (C:\Windows\System32\drivers\etc) because addressing with an IP causes further problems.