SCVMM 2012 R2 – unable to connect to VM console

hyper-vscvmmwindows-server-2012-r2

I've added a Server 2012 R2 host to VMM 2012 R2, and created a VM on it. When I right-click on the VM and try to connect to the console, I get:

"This computer can't connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator. (0x0904, 0x0007)"

My web searches have turned up similar errors, but have slightly different messages, telling that it's a permissions error, whereas my error is more generic, and I don't believe permissions are the problem in this instance; I built the host, I'm in the local admins on that host, and it's a test server that only I work on, so no-one else is likely to have jumped on and changed anything.

If I open Hyper-V Manager and Connect through that, it connects without problem. It's only through VMM that it's unable to connect. And VMM can connect to the VM consoles on other hosts.

If I create a new VM on the same host, I have the same problem. I even tried creating a new VM through Hyper-V manager instead, and connecting via VMM; same error.

I have the host monitored in SCOM 2012 R2 with the VMM and Hyper-V management packs, and they say it's healthy.

I'm out of ideas. Anyone else have any?

EDIT (Additional Info):

I've found that after the VM is built, I can connect to it just fine. We use SCCM to build our servers, so I tried to connect just after WinPE (we use the latest version, which has the latest Integration Services as well) has finished booting, and it connects then as well. So I'm guessing there's some sort of driver that is allowing the console to connect. So the problem seems to only be when the VM is powered off, or during POST. And it's only on hosts in this one server group/network; other hosts in other host groups/networks are fine.

Best Answer

Looks like credssp configuration issue.

1st workaround:

Put the following in a .reg file and add it to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentials]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentials]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnly]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentials]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsDomain]
"Hyper-V"="Microsoft Virtual Console Service/*"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsWhenNTLMOnly]
"Hyper-V"="Microsoft Virtual Console Service/*"

2nd workaround:

  1. Gpedit.msc
  2. Computer configuration->Admin Templates-> System->Credentials Delegation
  3. Enable allow delegating default credentials
  4. Check concatenate os defaults.
  5. Add the list of servers where credentials need to be delegated. Wild cards are supported (Ex: * indicates delegation to all targets)
  6. Gpedit /force In case of NTLM auth, you need to enable "Allow default credentials with NTLM only server auth" setting.
Related Topic