"Validate the cluster" fails immediately, and there's no CredSSP popup or message about azurestackhci-evalguide HOT 26 CLOSED

Hi, i've got the same issue when I run the cluster validation on de MGMT01 with AZSHCI\LabAdmin user logged in.

"Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer. For more information, see the about_Remote_Troubleshooting Help topic."

When i run the cluster validation with the user MGMT01\LocalAdmin, I receive the CredSSP popup to enable it, and could successfully run the validation after it!

from azurestackhci-evalguide.

Thanks both of you for troubleshooting this. I'm continuing to explore why this occurs - it seems very strange that a local account works, yet the domain account doesn't, however I can't get it to replicate in my environments.

Also, good catch on me not mentioning that you should be logged in as labadmin - it is just assumed from the previous step, but I will make a note to call this out when I have more info on the issue.

Thanks,
Matt

from azurestackhci-evalguide.

Sorry, i re-read your message and deleted my initial response, however you must have received it anyway. Outside of the workarounds we've written, Jan over on YouTube shows some steps to troubleshoot cluster validation https://youtu.be/7ONMTDzDNcM?t=5388, however he does get the CredSSP popup.

Can I check - what is your WAC version number, and also, did you join the nodes to the domain using my PowerShell, or using WAC itself?

Thanks,
Matt

from azurestackhci-evalguide.

Matt - my WAC is 1.2.2007.18002, and yes I used all the PowerShell you wrote, especially for joining nodes to the domain.
I'm watching Jan's show as of now, to chase this CredSSP thing. Thanks !

from azurestackhci-evalguide.

Great, thanks for confirming - I'm checking internally to see what a workaround could be - I've seen it once, and the documented workaround steps worked for me, but I'm checking to see what others have seen.

from azurestackhci-evalguide.

If you run the following on WAC, what results do you get?

setspn -L

from azurestackhci-evalguide.

Missing parameter: accountname

from azurestackhci-evalguide.

ahh, GitHub missed off the key word:

setspn -L nodeName

from azurestackhci-evalguide.

here are the results:
C:\Users\labadmin>setspn -L azshcinode01
Registered ServicePrincipalNames for CN=AZSHCINODE01,CN=Computers,DC=azshci,DC=local:
Hyper-V Replica Service/AZSHCINODE01
Hyper-V Replica Service/AZSHCINODE01.azshci.local
Microsoft Virtual System Migration Service/AZSHCINODE01
Microsoft Virtual System Migration Service/AZSHCINODE01.azshci.local
Microsoft Virtual Console Service/AZSHCINODE01
Microsoft Virtual Console Service/AZSHCINODE01.azshci.local
WSMAN/AZSHCINODE01
WSMAN/AZSHCINODE01.azshci.local
TERMSRV/AZSHCINODE01
TERMSRV/AZSHCINODE01.azshci.local
RestrictedKrbHost/AZSHCINODE01.azshci.local
HOST/AZSHCINODE01.azshci.local
RestrictedKrbHost/AZSHCINODE01
HOST/AZSHCINODE01

from azurestackhci-evalguide.

Can you run this on MGMT01 and the nodes?

Get-WSManCredSSP

Let me know the output for MGMT01 and each of the nodes (unless all nodes show the same message)

from azurestackhci-evalguide.

MGMT01, AZSHCINODE01 and 02 all return the same message:
The machine is not configured to allow delegating fresh credentials.
This computer is not configured to receive credentials from a remote client computer.

from azurestackhci-evalguide.

OK, so on MGMT01

$servers = "AZSHCINODE01", "AZSHCINODE02", "AZSHCINODE01.azshci.local", "AZSHCINODE02.azshci.local"
Enable-WSManCredSSP -Role "Client" -DelegateComputer "$servers"

Then reboot MGMT01.

Then once MGMT01 is back online, on each of your nodes:

Enable-WSManCredSSP -Role "Server"

Then reboot the node.

from azurestackhci-evalguide.

I did all these steps, waited 10 min after reboot before restarting WAC wizard, but "Validate the Cluster" does not go beyond the same initial step: "Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer."

from azurestackhci-evalguide.

OK, and what is the result of

Get-WSManCredSSP

On MGMT01 and the nodes as a result?

Thanks,
Matt

from azurestackhci-evalguide.

1. on MGMT01: The machine is configured to allow delegating fresh credentials to the following target(s): wsman/AZSHCINODE01 AZSHCINODE02 AZSHCINODE01.azshci.local AZSHCINODE02.azshci.local
   This computer is not configured to receive credentials from a remote client computer.
2. on AZSHCINODE01 and AZSHCINODE02: The machine is not configured to allow delegating fresh credentials.
   This computer is configured to receive credentials from a remote client computer.

from azurestackhci-evalguide.

OK thanks. I'll have to do some more investigation as unfortunately, I can't replicate the issue - each time I've walked through the process, i've been prompted for the CredSSP message, and things have been fine. I'll have to discuss internally and get back to you. Thanks for your patience.

from azurestackhci-evalguide.

Could you see if you get the same result on MGMT01, as here: https://sysadminplus.blogspot.com/2016/11/the-ws-management-service-cannot.html, when you run:

Get-PSSessionConfiguration

from azurestackhci-evalguide.

yes Matt - I get similar results on MGMT01, plus 2 other entries that looks good too:
PS C:\Windows\system32> Get-PSSessionConfiguration

Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed

Name : microsoft.powershell.workflow
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name : microsoft.powershell32
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed

Name : microsoft.sme.credssp
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : MGMT01\LocalAdmin AccessAllowed

Again, thanks for your time in research & thinking about the issue I face.

from azurestackhci-evalguide.

@mauricehermens thx for sharing, I tried it on my system, and got the same GOOD results as yours !
@mattmcspirit seems weird to use a local account on MGMT01 to build a Domain-attached cluster.
Anyway on the "Creating a (local) cluster" chapter, nothing is mentioned about the identity that needs to be used in MGMT01 to run WAC: https://github.com/Azure/AzureStackHCI-EvalGuide/blob/main/nested/steps/4_AzSHCICluster.md#creating-a-local-cluster
Maybe some clarification in favor of AZSHCI\labadmin or MGMT01\localadmin could me mentioned there ?
Methinks the AZSHCI\labadmin should do the job anyway, hence the issue still exists.

from azurestackhci-evalguide.

I went into exactly the same problem "WSMan: drive on the mgmt01 computer" when using the https://github.com/Azure/AzureStackHCI-EvalGuide/blob/main/nested/README.md , deployment in Azure and using powershell scripts (using azshci\labadmin user on MGMT01). When trying to validate the cluster logged on as localadmin user got the error:

from azurestackhci-evalguide.

@romanboba - what happens if you try to validate when logged in as azshci\labadmin (logged in to both MGMT01, and the WAC portal as azshci\labadmin)?

Did you install WAC logged in as labadmin, or localadmin?

Thanks!

from azurestackhci-evalguide.

@romanboba - what happens if you try to validate when logged in as azshci\labadmin (logged in to both MGMT01, and the WAC portal as azshci\labadmin)?
@mattmcspirit Result is the same error : Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer.

Did you install WAC logged in as labadmin, or localadmin?
Well, to be honest , I'm not 100% sure, but I tried to follow the installation manual , so I would say I used azshci\labadmin
If you think this can be an issue , I can redeploy and reconfigure MGMT01 using azshci\labadmin.

Thanks!

from azurestackhci-evalguide.

Hello Everyone. I have the same error.
Trying to Deploy 2Node Azure Stack HCI OS.

Tryed the Local Login. No Changes.

My Error:

Validate the cluster
Error
Something went wrong with enabling the Credential Security Support Provider protocol (CredSSP). This is a known issue that may be fixed in a future Windows Admin Center update. See the known issues section of the documentation at aka.ms/deploy-hci for instructions to work around this issue.

Error
Error in cluster validation

3:40:14 PM
Source
Go to Cluster Creation.
Type
Error

Message
Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Beim Verbinden mit dem Remoteserver "admincenter" ist folgender Fehler aufgetreten: Der WS-Verwaltungsdienst kann die Anforderung nicht verarbeiten. Die microsoft.sme.powershell-Sitzungskonfiguration kann im WSMan:-Laufwerk auf dem admincenter-Computer nicht gefunden werden. Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".

My AdminCenter is running on a German Windows Server (AdminCenter is running in English USA)
Azure Stack HCI OS is running in en_US

Any Idea where i can check?
Tryed DomAdmin and LocalAdmin

There is no CredSSP Popup

from azurestackhci-evalguide.

Hello,
Same error on the Validate Cluster step.

The Windows Admin Center was installed with the LocalAdmin account.
I have reinstalled WAC with the azshci\labadmin account and the problem was gone.

BTW, I have also changed the locale to en_US, but I don't known if it was mandatory.

from azurestackhci-evalguide.

Thanks for this @sjeanjean - I'll be working to do a full review and update of the guide next week, factoring in any changes for WAC 2009, and setting up for AKS-HCI, so i'll be sure to ensure that correct accounts are highlighted correctly.

Thanks!

from azurestackhci-evalguide.

I believe this to be fixed in the latest release, so please let me know if that's not the case and we can re-open.

from azurestackhci-evalguide.