alphaspirit - Fotolia

Two ways to authenticate a Hyper-V live migration

When performing a Hyper-V live migration, what are the options for authenticating a system sign-on before the migration begins?

Although the benefits of live migrations are well-documented, the issue of actually initiating the migration is often overlooked or ignored until it's required. Administrators then must grapple with the dynamics of signing onto the servers to perform the migration. Think about system sign-on and authentication requirements before wrestling with live migrations. And there are two ways to authenticate a sign-on for Hyper-V live migration -- Kerberos or Credential Security Support Provider.

Kerberos, which can work remotely, is typically used when remote management tools are trusted to initiate live migrations, such as through System Center. In this case, select constrained delegation through the Active Directory Users and Computers console or via PowerShell and then choose Kerberos as the preferred authentication protocol. Kerberos can provide mutual authentication, ensuring that both ends of the connection are correct.

To initiate a live migration manually using Windows PowerShell scripts, remote desktop sessions or local console management, sign on to the originating server and use Credential Security Support Provider (CredSSP) to authenticate the migration process. CredSSP is simple and easy to use, but it requires a local login to the server originating the migration. This requirement works for most small- or midsize businesses, but it might not be practical for large enterprises with multiple remote facilities that require live migrations.

The local sign-on requirement for CredSSP can pose unexpected problems when the destination server is remote. If an admin signs onto a local server A and migrates a VM to remote server B, the sign-on works without issues because server A is local. But if IT teams need to move the VM from remote server B back to local server A, it may not be possible because they'd need to sign onto server B locally to initiate the migration back to server A. This is a common oversight that has come back to trouble many overworked administrators; the migration attempt will fail -- citing that no credentials are available.

Next Steps

Check out part one of this tip series to learn how to optimize Hyper-V live migrations, then head over to part three to read about avoiding performance dips during a live migration.

Dig Deeper on Microsoft Hyper-V management