Hyper-V Account Does Not Have Permission Event

[mbrinkho]

Ever since we started using One there are a bunch of events in our Hyper-V host servers Hyper-V-VMMS/Admin logs with the description "'': account does not have permission required to open attachment '\\StorageServerName\hypervstorage\vm1\VirtualMachineName\Virtual Hard Disks\W2K12R2STD_C.vhdx'. Error: 'General access denied error' (0x80070005). (Virtual machine ID )". It's event ID 12290 and the user ID is our the domain account that the Veeam One service is running under.

This only happens on the VMs that have their storage on remote servers. The domain account that One is running under has Full Control on the files. I'm guessing it's the two hop authentication thing but I'm not 100% sure. Any help on this one?

[Vitaliy S.]

Are you running these VMs on the SMB share or a CSV volume?

[mbrinkho]

They are running from the SMB 3.0 share.

[Vitaliy S.]

Do you have all performance data available for these VMs? Can you please send our technical support team collection logs for review?

[kj@marcello.no]

Hi!
Any updates on this? I'm facing the same problem... please advice

brgds

[Vitaliy S.]

The OP has never posted his case number, so I cannot update this topic with a resolution. Can you reach out to out support team directly and let me know your case ID?

[mbrinkho]

It's still happening and I just dread having to go to the VMMS logs to troubleshoot anything because this is what I get.



I had a case open #00559157 and I sent the same logs over and over again and did a couple of webex sessions to collect the exact same logs and eventually the guy that was working on it just quit trying I guess. Overall it was a frustrating support experience, being asked the same questions over and over again and then having to get into a webex to "demonstrate" the issue.

[Vitaliy S.]

mbrinkho, I will discuss your case with our dev team.

[Vitaliy S.]

mbrinkho, I have just had a quick chat with our support team leaders and it appears that we've tried to contact you, but didn't receive any replies and your case was closed. Can we open a new case and try to investigate this issue further with all the info we have now? Apologies for the inconvenience occurred.

[mbrinkho]

When I left it the ball was in Veeam's court. I would like to get it fixed though.

[Vitaliy S.]

Good, can you open a case and give a reference to this topic?

[mbrinkho]

It's opened now.

[ID#00636553] Hyper-V Account Does Not Have Permission Event

[ivoneta]

Was there ever any update to this job, I'm seeing the exact same issue.

[Vitaliy S.]

The OPs case was closed due to no response, so I cannot update the topic with a solution. Can you contact our technical guys directly and post your case ID?

[mbrinkho]

As I recall I gave up because I got tired of being asked for the same information over and over again. It felt like it was low priority because it wasn't causing anything not to work - understandable but still frustrating to me.

I was able to get some relief by setting kerberos constrained delegation for CIFS in AD. I have a powershell that I have to run whenever I add a Hyper-V server or SMB3 storage server, I'd be glad to provide it if it would help.

[Vitaliy S.]

Yes, can you please provide it and I will forward it to our QC team as additional info about this case.

[mbrinkho]

Here it is - it's not pretty but it does work for me. I've sanitized it a bit so in order to make it work you'll have to replace the relevant bits. It also adds live migration delegation but I didn't have time to strip that out. There is a much easier way to do it in Powershell using Enable-SmbDelegation but it requires that the AD forest be at Server 2012 functional level and we aren't there.

Code: Select all

# HV-SetServerDelegationInAD.ps1
# sets constrained delegation for all hyper-v servers TO all hyper-v servers in AD + SMB3 servers used for remote storage
# mostly borrowed from http://rcmtech.wordpress.com/2013/07/19/powershell-kerberos-constrained-delegation-for-hyper-v-live-migration/
# 10/8/14 Matt Brinks
# 10/23/14 MB Added SMB delegation for other HV hosts as well as live migration delegation

# OU that your servers are in in AD
$serversOU = [ADSI]"LDAP://OU=Computers,DC=MYDOMAIN,DC=LOCAL"
# DNS Suffix
$DNSSuffix = "MYDOMAIN.local"
# array of SMB3 servers to give delegation to
$smbServers = "SMB3Server1","SMB3Server2","SMB3Server3"
# empty hash table
$hvHosts = @{}
# regular expression that identifies Hyper-V hosts by name 
$hostNameRegex = 'HYPERVSERVER[0-9][0-9]'

foreach ($child in $serversOU.PSBase.Children) {
    # add each computer in the OU to the hash table
    if ($child.ObjectCategory -like '*computer*' -and $child.Name.Value -match $hostNameRegex) {
        $hvHosts.Add($child.Name.Value, $child.distinguishedName.Value)
    }
}
# create a list of short names for the hyperv hosts
$hvHostsShort = @()
foreach ($hostShortName in $hvHosts.keys) {
    $hvHostsShort += $hostShortName
    }
# add the hyperv hosts to the list of smb servers so they can access each others local drives
$smbServers += $hvHostsShort

# Process each AD computer object in the OU in turn
foreach ($hvHost in $hvHosts.values) {
    Write-Host "Setting Delegation for Hyper-V Host : $hvHost"
    foreach ($smbServer in $smbServers) {
        Write-Host ("Adding cifs delegation for $smbServer")
        Set-ADObject -Identity $hvHost -Add @{"msDS-AllowedToDelegateTo" = "cifs/"+$smbServer}
        Set-ADObject -Identity $hvHost -Add @{"msDS-AllowedToDelegateTo" = "cifs/"+$smbServer+"."+$DNSSuffix} 
        }
    # add the live migration delegation for all of the other hyperv hosts
    foreach ($hvHostShort in $hvHostsShort) {
        Write-Host ("Adding live migration delegation for $hvHostShort")
        Set-ADObject -Identity $hvHost -Add @{"msDS-AllowedToDelegateTo" = "Microsoft Virtual System Migration Service/"+$hvHostShort}
        Set-ADObject -Identity $hvHost -Add @{"msDS-AllowedToDelegateTo" = "Microsoft Virtual System Migration Service/"+$hvHostShort+"."+$DNSSuffix} 
        }
    write-host "-----------------------------------"
}

[torstende]

I have the same error on all Hyper-V cluster hosts here.
Are there any updates?

[Vitaliy S.]

If you have the same issue, please open a support case with our technical team. For further troubleshooting you can give a reference to this thread.

[torstende]

I followed the advice from mbrinko and did a bit more researching for SMB Delegation.
Here is a good article for Windows 2012 R2 environments:
http://blogs.technet.com/b/josebda/arch ... ation.aspx

After implementing the delegation the error is gone.