John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Part 2 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

Part 2 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

  • Comments 103
  • Likes

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

The second part of the extra-long blog post contains the steps necessary on the client machine. Part one concentrated on the server side configuration.

Step 5 (On the client)

Step 5 mirrors step 2 in the first part of this blog post, but on the client. Note also (again for convenience more than anything else), my Vista SP1 machine is actually itself a virtual machine running on the same physical machine as the server. You’ve got to love it when you can have a somewhat recursive technology ;)
 
Enable the firewall rules on the client for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Make sure the command it successful and responds: Updated 8 rules(s). Ok.

wg27

If you now open “Windows Firewall with Advanced Security” from Control Panel/Administrative Tools on the start menu, you will notice eight rules, six inbound and two outbound have been enabled. (It helps to sort by Group)

wg28

wg29 

Step 6 (On the client)

This step creates a firewall exception for the Microsoft Management Console application (mmc.exe). From an elevated command prompt, enter the following:

Netsh firewall add allowedprogram program=%windir%\system32\mmc.exe name="Microsoft Management Console"

Make sure the command is successful and responds “Ok.”

wg30

You can verify that you succeeded in the above step by looking in the “other” Windows Firewall application. (No, I have no idea why there are two either….). Open "Network and Sharing Center" on the control panel, and click Windows firewall in the bottom left corner, then click "Allow a program through Windows Firewall" where you’ll see a new entry with the name “Microsoft Management Console”

wg31

wg32

wg33


Step 7 (On the client)

IMPORTANT!!!! You need to do this step in the following scenarios:

  • Client and server are both in a workgroup
  • Client is a workgroup and server is in a domain
  • Client is in a domain and server is in a workgroup
  • Both client and server are in domains, but there is NO TRUST between them.  

You DO NOT NEED TO DO THIS STEP if the client and server are in either the same or trusted domains. Go to step 8.

WMI makes calls back from the server to the client. This is entirely expected (and is not Hyper-V specific). When a server is in a workgroup, the DCOM connection from the server back to the client is "anonymous". This step therefore grants the appropriate permission.

On the start menu box (yes, well spotted, I need to apply updates), type dcomcnfg and hit enter to open Component Services. If UAC is enabled, click allow when prompted or enter appropriate administrative credentials.

wg34 

Expand the tree down through Component Services\Computers\My Computer, select My Computer, right-click, choose properties and select the COM Security tab.

wg36

Click Edit Limits in the Access Permissions area (do not confuse with Edit Limits in the Launch and Activation Permissions area). Select “ANONYMOUS LOGON” from the list of users, and make sure Remote Access/Allow is checked in the permissions area. Your screen should look like below.

wg37
Click OK and OK again, and close Component Services.

Step 8 (Away from the keyboard)

Take a deep breath and pat yourself on the back. Now do that again. A third time if you like. Then double-check to make sure you followed the above steps and those in part one  to the letter.  You did remember the step about restarting the server, didn't you?

Step 9 (On the client)

Logon as the account you have granted permissions to (“john” in my walkthrough) on the client.

Start Hyper-V Manager from Administrative Tools on the Control Panel. Enter appropriate administrative credentials if UAC is enabled and the account is not an administrator on the client.

Click Connect to Server and enter the name of the remote machine.

Watch in awe as you get a screen like below. You can also see, it took me 2 hours, 24 minutes and 19 seconds to do this walk-through documenting it step-by-step. It should take you much less time!

wg39

Cheers,
John.

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote

Comments
  • I'd absolutely love to see if you can get this working in your copious free time :).   I have previously played around with RPC over HTTP trying to get Outlook clients on the outside of our network to connect to the Exchange server behind our NATted firewall and failed miserably :).

  • John- I'm experiencing the same problem as Robr, but my topology is different. Instead of going through firewalls, mine is being routed by firewalls. I use ISA 2004 at two points to create a site to site VPN tunnel. Other MMC consoles seem to work, but this Hyper-V one does not. Again, it's not going through NAT, but in a routed environment.

    I would like to be kept up to date also if you could.

    -Michael

    michaelsainz@(takemeout)sunsetpres.org

  • Hahaha, you wouldnt believe how much I danced around when it worked John, you were right i had to type it in. Thank you.

    So when's this all become less of a pain in the.... ? :P

    A

  • Thank you very much! I would never have thought it would be so difficult to get Hyper-V Manager running with a remote connection. Two comments below.

    1) I installed the RC0 for Hyper-V and found both on the server and my Vista SP1 client that some new firewall rules had been added which looked very much like the WMI rules (same ports, etc.), but starting with "Hyper-V". I disabled the WMI firewall rules from your steps and everything still worked.

    2) The reason you can't copy and paste the firewall rules from the blog post is that the open and closing quotes are not the same ASCII character as the one on the keyboard :). I've seen this many times using Word as it replaces the quote character with fancy open and close quotes that the command prompt does not recognize.

  • I couldn't get this to work until I explicitly added my user name to the appropriate steps in the server portion of this guide.  Even though that user was a member of the Administrators group on the server.  This was not enough to allow the connection. The user had to be added separately. At least on my setup. Running Server 2008 Full x64 with a client running Vista Business x86 SP1.

  • The reason the shell commands don't work if you cut and paste them is because the inverted commas - ie " " don't come across right - they must be some kind of unicode character I imagine - if you paste the command into a command prompt box, then just go back and re-type the " over the existing ones, they'll work.

  • What about if Hyper-V server and Client Vista are in different domains? Do I need to create the two indentical users in both domains?

  • Darin - untrusted domains or part of the same forest? If the latter, then part 4 should work. Untrusted domains has seperate challenges which I'm still working through for a future part.

    Cheers,

    John.

  • robr, I ran into this error message.  Not sure if my issue is the same but it ended up being that the user account I was connecting with through Hyper-v remote management tools had an expired password.  Odd error message but that is what it ended up being for me.

  • I'm in!  Thanks so much.  There's no way I would've figured any of that out.

  • Hey it works!!!  I  hope this issue is somehow resolved in the next release.  Would be great if the setup did this for us!

  • Jonh,

    thanks a lot for this post, it is very useful.

    But, in scenarios with Windows Live OneCare this solution doesn't work due to OneCare firewall restrictions :(

    Only one solution turn off firewall at all... :(

  • With the RTM release of Hyper-V just around the corner, I thought it would be a good idea to re-visit

  • So after even more feedback and questions, part 4 of this series provides the walkthrough steps necessary

  • YOU ROCK!!!

    thanks john, great walkthrough!!!

    /Chris

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment