Oct 15 2018 02:41 AM - edited Oct 15 2018 02:43 AM
I installed Windows Admin Center, its great and working fine, but one of the things it advises me to do is to turn off CredSSP on servers, but when I use the Updates link on cluster page, it tells me that it needs to turn on CredSSP, is this a must? Or there is another way?
Aug 21 2019 05:25 PM
Thanks for confirming service mode. We are currently changing how the JEA endpoint that we use to configure CredSSP client on the gateway is configured to fix the issues reported. One of the design goals was to not require that every user of the Windows Admin Center needed to be an administrator of the gateway host server to configure CredSSP.
Is it possible to use desktop mode until the service mode fixes are available? Desktop mode seems to be working more reliably... If you try desktop mode and have problems please let me know.
Aug 21 2019 05:29 PM
Are you running the Admin Center gateway in service mode on a server or in desktop mode on a client machine?
If you are running in service mode there are known issues with how implemented CredSSP configuration of the gateway. We are currently fixing those issues and will have a new release soon.
If you are running desktop mode and having issues can you reply with the results from Get-ExecutionPolicy?
Aug 21 2019 06:04 PM
The WAC gateway is running as a service on a Windows Server 2019 virtual machine. I will try running it on my workstation in desktop mode to get the diagnostics information. I didn't think about trying that.
Oct 11 2019 01:54 PM - edited Oct 11 2019 01:56 PM
Oct 11 2019 01:54 PM - edited Oct 11 2019 01:56 PM
Same issue here - following. Using 1909 v1.2.1909.03002 on a guest VM (gateway), WinRM over HTTPS, Hyper-V 2019 Cluster, and I haven't configured Kerberos for SSO yet.
Oct 18 2019 12:09 PM
Paul, can you be more specific about the error you are seeing with your 1909 server mode gateway?
Oct 18 2019 12:53 PM
First I log in to WAC, then I Manage the Hyper-V cluster, then I click "Updates"
After 30 seconds or so I get this
WinRM over HTTPS is working fine for the cluster and two hosts in the cluster. Is it trying to talk to other guest VMs managed by the cluster/hosts as well?
Oct 24 2019 05:34 PM
Oct 28 2019 05:33 PM
Nov 08 2019 05:26 PM
Nov 08 2019 06:00 PM
@galenbthanks - also to clarify, we're not blocking WinRM over HTTP requests either. Ports are open for both.
Nov 20 2019 04:38 AM
Hi @galenb,
Any update on this? Got exactly this issue and identical to what others have reported here.
Deploying WAC as the primary admin method for a new Azure Stack HCI deployment for a client and just cannot get past this CredSSP issue... Delegation seems fine other than updates and diagnostics.
Thanks
Nov 20 2019 07:40 AM
For us, upgrading to version 1910 (Build 1.2.1910.31005) resolved the CredSSP issue. However, we wanted to use this for the Updates feature, especially cluster-aware updates on our HCI. Now, when we click "Updates" from the Tools side menu in WAC, CredSSP passes and we're prompted with a "Let's get you set up" message. It says,
To continue, we need to set up a few things:
When you click "Go for it" it immediate fails with an error notification that reads:
Failed to configure cluster aware update role to the cluster. Error: (1) RemoteException: Unable to validate that the cluster supports the Cluster-Aware Updating role. An unknown validation error occurred on node "corp-hci-01". Additional information: (ClusterUpdateException) Failed to run script "Validation Script": (PSRemotingTransportException) Connecting to remote server corp-hci-01 failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic. ==> (PSRemotingTransportException) Connecting to remote server corp-hci-01 failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic. (2) RemoteException: Validation failed for adding CAU cluster role.
So I'm pretty much done with caring about it. It's super frustrating that Microsoft's software is so incomplete. I wonder if any of their products go through testing. Our HCI setup is completely standard and out-of-the-box. We purchased it through a certified hardware reseller. And basic features haven't worked.
Dec 03 2019 12:21 PM
Desktop or Service mode gateway? Which version of Windows Admin Center are you using? Versions prior to 1910 were broken for CredSPP in Service mode.
Getting a .har file that captures the failure would greatly aid in debugging the issue. Generating a .har file is easily done using Chrome or Edge and both are documented on the web.
Dec 03 2019 12:37 PM
If you are willing to capture the repro in a .har file I will do my best to get the failure diagnosed and understood.
Dec 05 2019 10:40 AM
To all using CredSSP with a service mode gateway there is one more thing you must do to make it work -- when making a connection to a server please check the “Use these credentials for all connections” check box on the manage as credential dialog.
The design of CredSSP in service mode relies upon there being cached credentials available in the browser. We will be taking a look at this decision and the subtle behavior of needing to check that check box in the credential dialog to make it work properly.
Dec 12 2019 08:41 PM
I was able to capture a .har in Chrome and I sent it to you in a private message. Thanks!
Nov 17 2020 08:07 AM
Nov 17 2020 08:15 AM
@Timo_Menger I never heard back from Microsoft. The Updates feature still does not work for me in WAC even after upgrading to this year's update
Nov 17 2020 08:27 AM
Nov 17 2020 10:15 AM