VMM 2012: VM Console Error (0×0107, 0×0000)

0×0107, 0×0000After an initial/clean installation of VMM, I was getting the following error message, “(0×0107, 0×0000)” upon trying to connect to VM via console in VMM. I was also getting password prompts several times and it was not accepting any valid credentials. There were no issues with opening the console through Hyper-V Console remotely.

Workaround

First, I found a workaround by importing Hyper-V host certificate onto VMM. To do this, you need to export the certificate from the host:

Be careful here, you need to select “service account” while adding the certificate mmc on Hyper-V host, then locate Windows Remote Management (WS-Management) under services.

service account

Windows Remote Management (WS-Management)

Then under “WinRMTrusted Root Certification Authorities”, export host certificate. This certificate needs to be imported into “Trusted Root Certification Authorities” section under computer account on VMM host.

While I was doing this, I had been thinking why I need to do this as all the servers in my setup were in the same domain and I thought the behavior is similar to Kerberos double-hop delegation issues.  Thinking that I started investigating the SPNs.

Fix: SPNs

First, for more information about what SPN (Service Principal Names) is, please visit http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/04/28/what-is-spn-and-why-should-you-care.aspx

When I checked SPNs, all servers was missing two imported SPNs that needs to be registered in the hosts’ computer account. These are:

Microsoft Virtual System Migration Service/

Microsoft Virtual Console Service/

These needs to have both hostname and FQDN at the end of “/” (see below)

(I also added “Hyper-V Replica Service/” just in case)

For SCVMM: SCVMM/

 

Apparently, the user account that I used to install VMM agent did not have rights to create SPNs in the respective OU (the environment was restrictive; so be careful in such installations as the user (run as account) pushing VMM agent needs to have rights to register SPNs on computer accounts).

SPNs can be registered with setspn and the syntax is:

Example:

To list registered SPNs: setspn –L myhost1

To register SPNs: setspn -S http/myhost1 myhost1

 

Below is screenshot of my demo environment showing the SPNs registered:

setspn –L

Then I removed the certs and all things started working again normally.

Bulent Tolu

Bulent Tolu

Sr. Systems Engineer at VMware
Bulent is an IT professional with Master's in MIS and 10-years of experience in broad range of Information Technologies. He is exposed to engineering/architecting, implementation/integration, and administration of various high-available IT systems and infrastructure. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems. Currently, he lives in Istanbul and works as a Sr. Systems Engineer at VMware.
Bulent Tolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation

Share
Translate »