Forum Discussion
Cluster Update asking to enable CredSSP
I installed Windows Admin Center, its great and working fine, but one of the things it advises me to do is to turn off CredSSP on servers, but when I use the Updates link on cluster page, it tells me that it needs to turn on CredSSP, is this a must? Or there is another way?
- Same setup trying to connect to the Update link of an HCI cluster via the WAC and I have the same error:
“Error: Couldn't enable CredSSP delegation. Error: This operation was blocked by role-based access control settings.”
WAC install as GateWay on an Windows server 2019
WAC version : 2211 Build:1.4.2212.08003«
Was there any update on that issue.More than 4 years have passed and this still doesn't work. How come we are forced to pay for Enterprise licences only to end up in this forum?
Rebecca_WambuaMicrosoft
Tracking: 49072377
- Is there any update or solution regarding to this issue? I'm also not able to do cluster updates or to check my cluster, because of several CredSSP errors. Additional can't find the mentioned local group "Windows Admin Center CredSSP Admins". It doesn't exist on the gateway server.
Thanks in advance.Timo_Menger I never heard back from Microsoft. The Updates feature still does not work for me in WAC even after upgrading to this year's update
- Great 😉
Does cluster check work for you within WAC?
Same issue here - following. Using 1909 v1.2.1909.03002 on a guest VM (gateway), WinRM over HTTPS, Hyper-V 2019 Cluster, and I haven't configured Kerberos for SSO yet.
galenbPaul, can you be more specific about the error you are seeing with your 1909 server mode gateway?
First I log in to WAC, then I Manage the Hyper-V cluster, then I click "Updates"
After 30 seconds or so I get this
WinRM over HTTPS is working fine for the cluster and two hosts in the cluster. Is it trying to talk to other guest VMs managed by the cluster/hosts as well?
Same issue. All nodes in cluster running WS2019 (March Update). WAC version is 1907 build 1.2.1906.28002.
Same issue here. It would be nice if there was an official guide to make this work. The way I am trying to set it up is have a centralized WAC VM running 2019 with the latest extension versions and we all connect to it from our respective Windows 10 clients. I am trying to use the Diagnostics module 1.1.10 the Hyper-Converged Cluster Manager to connect to an S2D 2019 cluster. While the module installs fine, the problem comes up in notifications of the following:
Error
Source - Go to DiagnosticsTypeError
MessageI'm having the same issue. It says access is blocked based on the RBAC settings, but the thing is; I don't even have RBAC enabled since this is a lab.
galenb I also have this issue. Setup brand new WAC server on Windows 2019. Added a cluster and all 3 nodes to WAC. On the WAC gateway machine, ran the "Enable-WSManCredSSP" command to all three nodes. output says "true" for all after it runs. On the gateway machine, when I run "Get-WSManCredSSP" on it, I get:
```
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
```I have verified that my userID is in the group mentioned for WAC CredSSP Admins" as well.
Any other ideas?
Same here. i has been on every single version of WAC for my cluster. ever since upgraded to 1902, it has been broken!
just upgraded to WAC1906, same problem!
Why cant just someone design error message that is human understandable and suggested action to be able to fix?
10:38:34 PMSourceTypeError
MessageWAC is a never-ending battle for us it seems.
We too were receiving the error, "Couldn't determine if the current user is a member of the Windows Admin Center CredSSP Administrators group. Error: Connecting to remote server wac1 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the wac1 computer. For more information, see the about_Remote_Troubleshooting Help topic."
We had this problem when we tried to use the HCI Updates and Diagnostics features, two features that rely on CredSSP, as well as when we tried to connect to the WAC server (itself) via Computer Management in WAC.
We tracked this down to having IPv6 enabled. When we ran `Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6` We could connect to the server.
However, after spending 6 hours figuring that out, we still couldn't use The HCI Updates and Diagnostics features (which we need because our HCI cluster also doesn't work correctly and we need to use Diagnostics to troubleshoot it). Now we're getting a different error, "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings."
So I've kind of given up. There is even less I can find online for this problem. And this is the only posting I've found.
- galenb
Are you running the Admin Center gateway in service mode on a server or in desktop mode on a client machine?
If you are running in service mode there are known issues with how implemented CredSSP configuration of the gateway. We are currently fixing those issues and will have a new release soon.
If you are running desktop mode and having issues can you reply with the results from Get-ExecutionPolicy?
- Jeff WoolslayerYes, CredSSP is required for the update tool in either Failover or Hyper-Converged cluster manager.
Paul_WesterveltDo you have a procedure to enable the CredSSP options to allow Windows Admin Center to process cluster updates?
- Jeff Woolslayer
Hi Paul_Westervelt! I see you reached out via email as well. Someone should get back to you on that thread soon.
The gist of it is that WAC should handle all the CredSSP configuration automatically. As a user, you shouldn't have to do anything (other than consent.)
