add-vmdisk error when executing from remote host

Nov 11, 2009 at 5:55 PM

Hello,

 

I am using the R2-RC release.  I am trying to execute add-vmdisk on machine A to connect an ISO that is located on machine B to a VM on machine C.  My syntax is like this:

 

$vm = get-vm <vm-name> -server <machine_C>

add-vmdisk -vm $vm -controllerid 0 -lun 1 -VHDPath \\<machine_B>\<share>\<path-to-ISO> -DVD

 

I get an error from powershell

Test-wmiResult : Failed to add ISO Disk Image to <vmname>, return code'<vmname> failed to add device 'Microsoft Virtual CD/DVD Disk'. (Virtual mach
ine ID 018D94F7-9DBB-4CA4-8F61-2A23D38C92C4)
'<vmname>': User Account does not have sufficient privilege to open attach
ment '<\\machine_B>\<share>\<path-to-ISO>. Error: 'General access denied error' (0x80070005). (Virtual m
achine ID 018D94F7-9DBB-4CA4-8F61-2A23D38C92C4)
At D:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\hyperv\VMConfig.ps1:56 ch
ar:43
+             if ( ($result | Test-wmiResult <<<<  -wait:$wait -JobWaitText ($l
str_CreateHW -f $Rasd.ElementName)`
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
   n,Test-wmiResult

 

The event log on the Hyper-V host has a similar error.  I used the same syntax successfully when executing the powershell cmd on the Hyper-V host itself.  I can't find any permissions errors in audit logs.  Any ideas?

 

thanks!

Martin

Coordinator
Nov 12, 2009 at 3:24 PM

You will have the same problem if you try to do this from the GUI. You need to give the machine (not your user account) permission to the ISO. I think John Howard has a blog post on this  - will try to find more info for you.

 

 

Nov 13, 2009 at 2:56 PM

I agree that it also happens using the GUI from a remote machine. Are you thinking that setting up constrained delegation such as described here:

 

http://virtuallyaware.spaces.live.com/blog/cns!549C424F228D6040!175.entry

 

will fix it? 

thanks

Martin

Nov 16, 2009 at 3:20 PM

Constrained delegation does in fact fix this problem.  Essentially you need the same configuration as you need so that SCVMM 2008 R2 can Share an ISO to a VM.

Assume
  machine A will execute the powershell script

  machine B hosts the VM

  machine C hosts the ISO (shared via windows file share)

User account used to execute the script on Machine A must have read access (or more) to the ISO file on machine C

Machine B's machine account (B$) must have read access (or more) to the ISO file on machine C

Machine B's AD object must be configured with constrained delegation allowing delegation to machine C, using Any authentication protocol, for service cifs (SMB)

thanks!

Martin

 

 

Feb 11, 2011 at 11:21 PM

We have configured constrained delegation but we still have the same issue and same error being seen.

Is there any other thing we need to configure to resolve the issue.

 

Feb 12, 2011 at 4:26 PM

Hi,

 

Make sure that in your constrained delegation setup you chose "use any authentication protocol"; I don't think this is the default.

 

Martin

Feb 12, 2011 at 6:59 PM

Thanks Martin.

Yes, we do have this option selected and problem still being seen.

Feb 14, 2011 at 4:15 PM

Martin,

We are running windows 2008 R2 Enterprise edition, does it matter?

I have re-verified constraint delegation and verything looks good.

NiviRavi

Feb 14, 2011 at 10:45 PM

Hi Martin,

It works great only if have  -VHDPath \\<machine_B>\<share>\<path-to-ISO> -DVD   and does not work if we give  -VHDPath \\<ipaddress of Machine B>\<share>\<path-to-ISO> -DVD  .

Any ideas to resolve this?

 

Ravi

 

 

Feb 15, 2011 at 1:26 PM

I don't remember trying that scenario.  Can you configure constrained delegation while identifying machine B by IP instead of name?

 

Martin