@Kelly Menzel 

Are you running the Admin Center gateway in service mode on a server or in desktop mode on a client machine? 

If you are running in service mode there are known issues with how implemented CredSSP configuration of the gateway.  We are currently fixing those issues and will have a new release soon.

If you are running desktop mode and having issues can you reply with the results from Get-ExecutionPolicy?

@galenb 

The WAC gateway is running as a service on a Windows Server 2019 virtual machine. I will try running it on my workstation in desktop mode to get the diagnostics information. I didn't think about trying that.

@Paul Youngberg 

Paul, can you be more specific about the error you are seeing with your 1909 server mode gateway?

@galenb 

First I log in to WAC, then I Manage the Hyper-V cluster, then I click "Updates"

After 30 seconds or so I get this

WinRM over HTTPS is working fine for the cluster and two hosts in the cluster. Is it trying to talk to other guest VMs managed by the cluster/hosts as well?

@Paul Youngberg 

You are using WinRM over HTTP on your service mode gateway -- correct?

@Paul Youngberg 

Thanks for confirming.  I will need to look into this.

@galenbthanks - also to clarify, we're not blocking WinRM over HTTP requests either. Ports are open for both.

Hi @galenb,

Any update on this? Got exactly this issue and identical to what others have reported here. 

Deploying WAC as the primary admin method for a new Azure Stack HCI deployment for a client and just cannot get past this CredSSP issue... Delegation seems fine other than updates and diagnostics.

Thanks

@stevehootwork 

For us, upgrading to version 1910 (Build 1.2.1910.31005) resolved the CredSSP issue. However, we wanted to use this for the Updates feature, especially cluster-aware updates on our HCI. Now, when we click "Updates" from the Tools side menu in WAC, CredSSP passes and we're prompted with a "Let's get you set up" message. It says,

To continue, we need to set up a few things:

• If Windows Firewall is in use on the cluster nodes, this tool will automatically enable Windows Firewall rules needed on each cluster node to allow remote restarts during updating. This is required to update this cluster.
• If the Cluster-Aware Updating role is not present, it will be added.

When you click "Go for it" it immediate fails with an error notification that reads:

Failed to configure cluster aware update role to the cluster. Error: (1) RemoteException: Unable to validate that the cluster supports the Cluster-Aware Updating role. An unknown validation error occurred on node "corp-hci-01". Additional information: (ClusterUpdateException) Failed to run script "Validation Script": (PSRemotingTransportException) Connecting to remote server corp-hci-01 failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic. ==> (PSRemotingTransportException) Connecting to remote server corp-hci-01 failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic. (2) RemoteException: Validation failed for adding CAU cluster role.

So I'm pretty much done with caring about it. It's super frustrating that Microsoft's software is so incomplete. I wonder if any of their products go through testing. Our HCI setup is completely standard and out-of-the-box. We purchased it through a certified hardware reseller. And basic features haven't worked.

@stevehootwork 

Desktop or Service mode gateway?  Which version of Windows Admin Center are you using?  Versions prior to 1910 were broken for CredSPP in Service mode.

Getting a .har file that captures the failure would greatly aid in debugging the issue.  Generating a .har file is easily done using Chrome or Edge and both are documented on the web.

@Kelly Menzel 

If you are willing to capture the repro in a .har file I will do my best to get the failure diagnosed and understood.

@Kelly Menzel 

To all using CredSSP with a service mode gateway there is one more thing you must do to make it work -- when making a connection to a server please check the “Use these credentials for all connections” check box on the manage as credential dialog.

The design of CredSSP in service mode relies upon there being cached credentials available in the browser.  We will be taking a look at this decision and the subtle behavior of needing to check that check box in the credential dialog to make it work properly.

I was able to capture a .har in Chrome and I sent it to you in a private message. Thanks!

@Timo_Menger I never heard back from Microsoft. The Updates feature still does not work for me in WAC even after upgrading to this year's update