While logged into HOST1
, my user can successfully run this powershell command to move a running VM from HOST1
to HOST2
:
Move-VM -Name DC02 -DestinationHost HOST2 -IncludeStorage -DestinationStoragePath "V:\Virtual Machines\DC02"
However, this command (which does the same thing because HOST1
is localhost
) fails:
Invoke-Command {
Move-VM -Name DC02 -DstinationHost HOST2 -IncludeStorage -DestinationStoragePath "V:\Virtual Machines\DC02"
} -ComputerName HOST1
The error is:
Move-VM : The operation on computer 'HOST2' failed: WinRM cannot process the request. The following error with
errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist. It may
already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.
+ CategoryInfo : NotSpecified: (:) [Move-VM], VirtualizationException
+ FullyQualifiedErrorId : Unspecified,Microsoft.HyperV.PowerShell.Commands.MoveVM
When enabling verbose Kerberos I see this in the System event log:
A Kerberos Error Message was received:
on logon session DomainY\UserY
Client Time:
Server Time: 20:40:44.0000 12/8/2022 Z
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Extended Error:
Client Realm:
Client Name:
Server Realm: DomainY
Server Name: krbtgt/DomainY
Target Name: krbtgt/DomainY@DomainY
Error Text:
File: logonapi.cxx
Line: e02
Error Data is in record data.
Q: Why does the command fail when wrapped in Invoke-Command
?
Hint pointing to forest trust: the failure happens for UserY but not UserX:
HOST1
, HOST2
, and UserX
are on DomainX
UserY
is on DomainY
DomainX
trusts DomainY
via Forest Trust
DomainY
trusts DomainX
via Forest Trust
UserX
is a Domain Admin on DomainX
UserY
is a Domain Admin on DomainY
(although this doesn't matter)
UserY
is a in the BUILTIN Administrators group on HOST1
and HOST2
(which are in DomainX
)