Home

Cluster Update asking to enable CredSSP

%3CLINGO-SUB%20id%3D%22lingo-sub-271352%22%20slang%3D%22en-US%22%3ECluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-271352%22%20slang%3D%22en-US%22%3E%3CP%3EI%20installed%20Windows%20Admin%20Center%2C%20its%20great%20and%20working%20fine%2C%20but%20one%20of%20the%20things%20it%20advises%20me%20to%20do%20is%20to%20turn%20off%20CredSSP%20on%20servers%2C%20but%20when%20I%20use%20the%20Updates%20link%20on%20cluster%20page%2C%20it%20tells%20me%20that%20it%20needs%20to%20turn%20on%20CredSSP%2C%20is%20this%20a%20must%3F%20Or%20there%20is%20another%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-401456%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F57259%22%20target%3D%22_blank%22%3E%40Jeff%20Woolslayer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20a%20procedure%20to%20enable%20the%20CredSSP%20options%20to%20allow%20Windows%20Admin%20Center%20to%20process%20cluster%20updates%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-308206%22%20slang%3D%22en-US%22%3ERE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-308206%22%20slang%3D%22en-US%22%3EYes%2C%20CredSSP%20is%20required%20for%20the%20update%20tool%20in%20either%20Failover%20or%20Hyper-Converged%20cluster%20manager.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-412081%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-412081%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F190995%22%20target%3D%22_blank%22%3E%40Paul%20Westervelt%3C%2FA%3E!%20I%20see%20you%20reached%20out%20via%20email%20as%20well.%20Someone%20should%20get%20back%20to%20you%20on%20that%20thread%20soon.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20gist%20of%20it%20is%20that%20WAC%20should%20handle%20all%20the%20CredSSP%20configuration%20automatically.%20As%20a%20user%2C%20you%20shouldn't%20have%20to%20do%20anything%20(other%20than%20consent.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-504522%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-504522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F57259%22%20target%3D%22_blank%22%3E%40Jeff%20Woolslayer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%22m%20seeing%20a%20similar%20issue.%26nbsp%3B%20credssp%20is%20simply%20not%20turning%20on%20automatically.%26nbsp%3B%20I%20get%20an%20error%20in%20WAC%20when%20I%20try%20and%20do%20updates%20or%20diagnostics%20stating%20%22%3CSPAN%3EThe%20workflow%20to%20enable%20CredSSP%20has%20been%20completed%2C%20but%20there%20was%20an%20error.%20Exception%3A%20This%20operation%20was%20blocked%20by%20role%20based%20access%20control%20settings%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERBAC%20was%20off%20originally%2C%20but%20I%20tried%20turning%20it%20on%20(and%20adding%20my%20user%20to%20the%20admin%20list)%20and%20then%20turned%20it%20off%2C%20and%20neither%20way%20worked.%26nbsp%3B%20I%20even%20tried%20loggined%20into%20each%20server%20and%20running%26nbsp%3B%26nbsp%3B%3CSPAN%3EEnable-WSManCredSSP%20-role%20server%20in%20powershell%20and%20that%20showed%20that%20it%20was%20enabled%2C%20but%20the%20updates%20and%20diagnostics%20still%20came%20back%20with%20the%20same%20error.%26nbsp%3B%20I%22m%20running%20v1904%20build%201.2.1904.11004%20on%20a%20windows%202019%20server%20that%20I%22m%20connecting%20to%20with%20a%20windows10%20desktop%20and%20trying%20to%20manage%20a%20S2D%20hyperconvered%20cluster%20running%202019.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-505289%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-505289%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330610%22%20target%3D%22_blank%22%3E%40oikjn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20tell%20me%20a%20little%20more%20about%20your%20desktop%2Fgateway%20machine%3F%26nbsp%3B%20There%20is%20a%20local%20group%20called%20%22Windows%20Admin%20Center%20CredSSP%20Admins%22%20--%20can%20you%20tell%20me%20if%20your%20identity%20is%20a%20member%20of%20this%20group%3F%26nbsp%3B%20Can%20you%20tell%20me%20which%20locale%20you%20are%20using%20on%20this%20machine%3F%26nbsp%3B%20And%20--%20can%20you%20run%20the%20following%20command%20in%20an%20elevated%20PowerShell%20console%20on%20this%20machine%20and%20reply%20with%20the%20results%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnable-WSManCredSSP%20-%20Role%20Client%20-DelegateComputer%20%3CTHE%20fqdn%3D%22%22%20of%3D%22%22%20one%3D%22%22%20of%3D%22%22%20the%3D%22%22%20cluster%3D%22%22%20nodes%3D%22%22%3E%3C%2FTHE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGalen%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-567888%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-567888%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%20I%20have%20the%20same%20problem%2C%20I%20run%20the%20comand%20and%20this%20is%20the%20result.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ecfg%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%3C%2FA%3E%3CBR%20%2F%3Elang%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20en-US%3CBR%20%2F%3EBasic%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3CBR%20%2F%3EDigest%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3CBR%20%2F%3EKerberos%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3CBR%20%2F%3ENegotiate%26nbsp%3B%26nbsp%3B%20%3A%20true%3CBR%20%2F%3ECertificate%20%3A%20true%3CBR%20%2F%3ECredSSP%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-633336%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-633336%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20too%20have%20the%20same%20issues%20and%20get%20the%20same%20return%20after%20setting%20up%20each%20node%20in%20one%20of%20our%20clusters%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%3CH6%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%20id%3D%22toc-hId-916057590%22%3Ecfg%20%3A%20%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%3C%2FA%3E%3CBR%20%2F%3Elang%20%3A%20en-US%3CBR%20%2F%3EBasic%20%3A%20true%3CBR%20%2F%3EDigest%20%3A%20true%3CBR%20%2F%3EKerberos%20%3A%20true%3CBR%20%2F%3ENegotiate%20%3A%20true%3CBR%20%2F%3ECertificate%20%3A%20true%3CBR%20%2F%3ECredSSP%20%3A%20true%3C%2FH6%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-645336%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-645336%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F137963%22%20target%3D%22_blank%22%3E%40John%20Barreto%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20what%20about%20the%20other%20questions%20I%20asked%3F%26nbsp%3B%20Also%2C%20can%20I%20have%20the%20output%20from%20Get-WSManCredSSP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20service%20mode%20or%20desktop%20mode%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-645337%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-645337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346572%22%20target%3D%22_blank%22%3E%40tcook37402%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20look%20at%20my%20reply%20to%20John%20Barreto%3F%26nbsp%3B%20I%20have%20the%20same%20question%20for%20you%20too...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-673666%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-673666%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20me%20too.%26nbsp%3B%20%26nbsp%3BWe%20run%20Enable-WSManCredSSP%20on%20all%204%20nodes%20and%20get%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ecfg%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%3C%2FA%3E%3CBR%20%2F%3E%3CSPAN%3Elang%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20en-US%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EBasic%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDigest%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EKerberos%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ENegotiate%26nbsp%3B%26nbsp%3B%20%3A%20true%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ECertificate%20%3A%20true%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ECredSSP%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20true%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20are%20trying%20to%20use%20the%20Windows%20Admin%20Centre%20Update%20tool%20but%20can%20not%20get%20beyond%20the%20%22The%20workflow%20to%20enable%20CredSSP%20has%20been%20completed%2C%20but%20there%20was%20an%20error.%20Exception%3A%20This%20operation%20was%20blocked%20by%20role%20based%20access%20control%20settings%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EEach%20node%20has%20RBAC%20applied%20and%20CredSSP%20is%20enabled%20and%20showing%20its%20orange%20badge.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20someone%20has%20some%20suggestions.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-678429%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678429%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esorry%20I%20didn't%20see%20the%20notice%20of%20the%20reply%20from%20you.%26nbsp%3B%20I%20have%20a%202019%20server%20VM%20setup%20to%20run%20WAC%20and%20connect%20to%20that%20through%20my%20desktop.%26nbsp%3B%20I%20am%20logging%20in%20on%20the%20WAC%20webpage%20as%20a%20domain%20administrator%20account.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emy%20desktop%20doesn't%20have%20the%20group%20you%20mentioned%2C%20but%20the%20WAC%20computer%20does%20and%20the%20admin%20account%20I%20use%20is%20listed%20in%20it.%26nbsp%3B%20I%20ran%20the%20command%20you%20asked%20on%20the%20WAC%20computer%20and%20tried%20again%20and%20still%20have%20the%20same%20error.%26nbsp%3B%20I%20did%20it%20for%20both%20nodes%20of%20the%20cluster%20and%20both%20came%20back%20with%20basic%2Fdigest%2Fdeberos%2Fnegotiate%2Fcertificate%2Fcredssp%20all%20equal%20to%20true%20and%20cfg%3A%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fwbem%2Fwsman%2F1%2Fconfig%2Fclient%2Fauth%26nbsp%3B%3C%2FA%3E%20(sorry...%20couldn't%20copy%2Fpast%20from%20VM%20console).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eedit%3A%26nbsp%3B%20I%20just%20updated%20to%201904.1%20and%20retried...%26nbsp%3B%20same%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-710986%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-710986%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20here.%20i%20has%20been%20on%20every%20single%20version%20of%20WAC%20for%20my%20cluster.%20ever%20since%20upgraded%20to%201902%2C%20it%20has%20been%20broken!%26nbsp%3B%3C%2FP%3E%3CP%3Ejust%20upgraded%20to%20WAC1906%2C%20same%20problem!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20cant%20just%20someone%20design%20error%20message%20that%20is%20human%20understandable%20and%20suggested%20action%20to%20be%20able%20to%20fix%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22sme-arrange-stack-h%22%3E%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3EEnabling%20CredSSP%20Delegation%3C%2FP%3E%3C%2FDIV%3E%3CDIV%20class%3D%22sme-padding-left-lg%22%3E10%3A38%3A34%20PM%3CDIV%20class%3D%22sme-padding-top-md%22%3ESource%3CSPAN%20class%3D%22sme-layout-block%20sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3E%3CA%20href%3D%22https%3A%2F%2Fwac1%3A8443%2Fhciclustermanager%2Fconnections%2Fhcicluster%2Fs2dclus1.mas.tmone.com.my%2Ftools%2Fupdates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Updates.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22sme-padding-top-md%22%3EType%3CP%3EError%3C%2FP%3E%3C%2FDIV%3E%3CDIV%20class%3D%22sme-padding-top-md%22%3EMessage%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3ECouldn't%20determine%20if%20the%20current%20user%20is%20a%20member%20of%20the%20Windows%20Admin%20Center%20CredSSP%20Administrators%20group.%20Error%3A%20Connecting%20to%20remote%20server%20wac1%20failed%20with%20the%20following%20error%20message%20%3A%20The%20WS-Management%20service%20cannot%20process%20the%20request.%20Cannot%20find%20the%20microsoft.sme.powershell%20session%20configuration%20in%20the%20WSMan%3A%20drive%20on%20the%20wac1%20computer.%20For%20more%20information%2C%20see%20the%20about_Remote_Troubleshooting%20Help%20topic.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743572%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743572%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3B%20I%20also%20have%20this%20issue.%20Setup%20brand%20new%20WAC%20server%20on%20Windows%202019.%20Added%20a%20cluster%20and%20all%203%20nodes%20to%20WAC.%20On%20the%20WAC%20gateway%20machine%2C%20ran%20the%20%22Enable-WSManCredSSP%22%20command%20to%20all%20three%20nodes.%20output%20says%20%22true%22%20for%20all%20after%20it%20runs.%20On%20the%20gateway%20machine%2C%20when%20I%20run%20%22Get-WSManCredSSP%22%20on%20it%2C%20I%20get%3A%3CBR%20%2F%3E%60%60%60%3CBR%20%2F%3EThe%20machine%20is%20not%20configured%20to%20allow%20delegating%20fresh%20credentials.%3CBR%20%2F%3EThis%20computer%20is%20configured%20to%20receive%20credentials%20from%20a%20remote%20client%20computer.%3CBR%20%2F%3E%60%60%60%3C%2FP%3E%3CP%3EI%20have%20verified%20that%20my%20userID%20is%20in%20the%20group%20mentioned%20for%20WAC%20CredSSP%20Admins%22%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20other%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-780062%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-780062%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20issue.%26nbsp%3B%20All%20nodes%20in%20cluster%20running%20WS2019%20(March%20Update).%20WAC%20version%20is%201907%20build%201.2.1906.28002.%3C%2FP%3E%3CDIV%20class%3D%22sme-position-flex-auto%20sme-arrange-stack-v%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22sme-position-flex-auto%20sme-arrange-stack-v%22%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-791063%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-791063%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20issue%20here.%20It%20would%20be%20nice%20if%20there%20was%20an%20official%20guide%20to%20make%20this%20work.%20The%20way%20I%20am%20trying%20to%20set%20it%20up%20is%20have%20a%20centralized%20WAC%20VM%20running%202019%20with%20the%20latest%20extension%20versions%20and%20we%20all%20connect%20to%20it%20from%20our%20respective%20Windows%2010%20clients.%20I%20am%20trying%20to%20use%20the%20Diagnostics%20module%201.1.10%20the%20Hyper-Converged%20Cluster%20Manager%20to%20connect%20to%20an%20S2D%202019%20cluster.%20While%20the%20module%20installs%20fine%2C%20the%20problem%20comes%20up%20in%20notifications%20of%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22sme-arrange-stack-h%22%3E%3CDIV%20class%3D%22sme-position-flex-none%20sme-padding-right-xs%22%3E%3CP%20class%3D%22sme-screen-reader%22%3EError%3C%2FP%3E%3C%2FDIV%3E%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3EEnable%20delegation%3C%2FP%3E%3C%2FDIV%3E%3CDIV%20class%3D%22sme-padding-left-lg%22%3E%3CBR%20%2F%3E%3CDIV%20class%3D%22sme-padding-top-md%22%3ESource%20-%20Go%20to%20Diagnostics%3C%2FDIV%3E%3CDIV%20class%3D%22sme-padding-top-md%22%3EType%3CP%3EError%3C%2FP%3E%3C%2FDIV%3E%3CDIV%20class%3D%22sme-padding-top-md%22%3EMessage%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3EThe%20workflow%20to%20enable%20CredSSP%20has%20been%20completed%2C%20but%20there%20was%20an%20error.%20Exception%3A%20This%20operation%20was%20blocked%20by%20role%20based%20access%20control%20settings%22%3C%2FP%3E%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3EThe%20user%20I%20am%20trying%20to%20use%20is%20in%20the%20local%20%22Windows%20Admin%20Center%20CredSSP%20Admins%22%20group%20on%20the%20WAC%20and%20the%20enable-wsmancredssp%20-role%20client%20-delegatecomputer%20(nodes)%20has%20been%20completed%20successfully.%20I%20even%20added%20it%20to%20the%20SDDC%20instances%20and%20failover%20cluster%20instance%20FQDNs.%20Still%20does%20the%20same%20thing%20every%20time.%3C%2FP%3E%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22sme-position-flex-auto%20sme-arrange-overflow-hide-x%20sme-arrange-word-wrap-break-word%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802214%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802214%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20having%20the%20same%20issue.%20It%20says%20access%20is%20blocked%20based%20on%20the%20RBAC%20settings%2C%20but%20the%20thing%20is%3B%20I%20don't%20even%20have%20RBAC%20enabled%20since%20this%20is%20a%20lab.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-808906%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-808906%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391401%22%20target%3D%22_blank%22%3E%40Haribo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20more%20info%20about%20your%20gateway%20setup...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDesktop%20or%20service%20mode%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20execution%20policy%20of%20you%20gateway%20machine%3F%26nbsp%3B%20RemoteSigned.%20AllSigned%2C%20etc...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20your%20connections%20FQDN%20or%20IP%20addresses%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETIA!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGalen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-808942%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-808942%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78106%22%20target%3D%22_blank%22%3E%40Reng%20Kwan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWAC%20is%20a%20never-ending%20battle%20for%20us%20it%20seems.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20too%20were%20receiving%20the%20error%2C%20%22%3CSPAN%3ECouldn't%20determine%20if%20the%20current%20user%20is%20a%20member%20of%20the%20Windows%20Admin%20Center%20CredSSP%20Administrators%20group.%20Error%3A%20Connecting%20to%20remote%20server%20wac1%20failed%20with%20the%20following%20error%20message%20%3A%20The%20WS-Management%20service%20cannot%20process%20the%20request.%20Cannot%20find%20the%20microsoft.sme.powershell%20session%20configuration%20in%20the%20WSMan%3A%20drive%20on%20the%20wac1%20computer.%20For%20more%20information%2C%20see%20the%20about_Remote_Troubleshooting%20Help%20topic.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20had%20this%20problem%20when%20we%20tried%20to%20use%20the%20HCI%20Updates%20and%20Diagnostics%20features%2C%20two%20features%20that%20rely%20on%20CredSSP%2C%20as%20well%20as%20when%20we%20tried%20to%20connect%20to%20the%20WAC%20server%20(itself)%20via%20Computer%20Management%20in%20WAC.%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20tracked%20this%20down%20to%20having%20IPv6%20enabled.%20When%20we%20ran%20%60Disable-NetAdapterBinding%20-InterfaceAlias%20Ethernet%20-ComponentID%20ms_tcpip6%60%20We%20could%20connect%20to%20the%20server.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHowever%2C%20after%20spending%206%20hours%20figuring%20that%20out%2C%20we%20still%20couldn't%20use%20The%20HCI%20Updates%20and%20Diagnostics%20features%20(which%20we%20need%20because%20our%20HCI%20cluster%20also%20doesn't%20work%20correctly%20and%20we%20need%20to%20use%20Diagnostics%20to%20troubleshoot%20it).%20Now%20we're%20getting%20a%20different%20error%2C%20%22The%20workflow%20to%20enable%20CredSSP%20has%20been%20completed%2C%20but%20there%20was%20an%20error.%20Exception%3A%20This%20operation%20was%20blocked%20by%20role%20based%20access%20control%20settings.%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20I've%20kind%20of%20given%20up.%20There%20is%20even%20less%20I%20can%20find%20online%20for%20this%20problem.%20And%20this%20is%20the%20only%20posting%20I've%20found.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-810369%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-810369%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3Brunning%20in%20service%20mode%20on%20one%20of%20the%20cluster%20nodes.%20ExecutionPolicy%20was%20not%20changed%20from%20what%20it%20is%20by%20default.%20Connections%20were%20FQDN.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-816228%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391401%22%20target%3D%22_blank%22%3E%40Haribo%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20confirming%20service%20mode.%26nbsp%3B%20We%20are%20currently%20changing%20how%20the%20JEA%20endpoint%20that%20we%20use%20to%20configure%20CredSSP%20client%20on%20the%20gateway%20is%20configured%20to%20fix%20the%20issues%20reported.%26nbsp%3B%20One%20of%20the%20design%20goals%20was%20to%20not%20require%20that%20every%20user%20of%20the%20Windows%20Admin%20Center%20needed%20to%20be%20an%20administrator%20of%20the%20gateway%20host%20server%20to%20configure%20CredSSP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20use%20desktop%20mode%20until%20the%20service%20mode%20fixes%20are%20available%3F%26nbsp%3B%20Desktop%20mode%20seems%20to%20be%20working%20more%20reliably...%26nbsp%3B%20If%20you%20try%20desktop%20mode%20and%20have%20problems%20please%20let%20me%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-816229%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216586%22%20target%3D%22_blank%22%3E%40Kelly%20Menzel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20running%20the%20Admin%20Center%20gateway%20in%20service%20mode%20on%20a%20server%20or%20in%20desktop%20mode%20on%20a%20client%20machine%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20running%20in%20service%20mode%20there%20are%20known%20issues%20with%20how%20implemented%20CredSSP%20configuration%20of%20the%20gateway.%26nbsp%3B%20We%20are%20currently%20fixing%20those%20issues%20and%20will%20have%20a%20new%20release%20soon.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20running%20desktop%20mode%20and%20having%20issues%20can%20you%20reply%20with%20the%20results%20from%20Get-ExecutionPolicy%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-816256%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20WAC%20gateway%20is%20running%20as%20a%20service%20on%20a%20Windows%20Server%202019%20virtual%20machine.%20I%20will%20try%20running%20it%20on%20my%20workstation%20in%20desktop%20mode%20to%20get%20the%20diagnostics%20information.%20I%20didn't%20think%20about%20trying%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909584%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909584%22%20slang%3D%22en-US%22%3E%3CP%3ESame%20issue%20here%20-%20following.%20Using%201909%20v1.2.1909.03002%20on%20a%20guest%20VM%20(gateway)%2C%20WinRM%20over%20HTTPS%2C%20Hyper-V%202019%20Cluster%2C%20and%20I%20haven't%20configured%20Kerberos%20for%20SSO%20yet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918925%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27908%22%20target%3D%22_blank%22%3E%40Paul%20Youngberg%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%2C%20can%20you%20be%20more%20specific%20about%20the%20error%20you%20are%20seeing%20with%20your%201909%20server%20mode%20gateway%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918946%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918946%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20I%20log%20in%20to%20WAC%2C%20then%20I%20Manage%20the%20Hyper-V%20cluster%2C%20then%20I%20click%20%22Updates%22%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20375px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138511i766947F89FF2D302%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%222019-10-18%2012_47_31-Updates%20-%20Cluster%20Manager%20-%20Windows%20Admin%20Center.png%22%20title%3D%222019-10-18%2012_47_31-Updates%20-%20Cluster%20Manager%20-%20Windows%20Admin%20Center.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAfter%2030%20seconds%20or%20so%20I%20get%20this%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20261px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138512iC858AABEA8C6147F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%222019-10-18%2012_47_47-Updates%20-%20Cluster%20Manager%20-%20Windows%20Admin%20Center.png%22%20title%3D%222019-10-18%2012_47_47-Updates%20-%20Cluster%20Manager%20-%20Windows%20Admin%20Center.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWinRM%20over%20HTTPS%20is%20working%20fine%20for%20the%20cluster%20and%20two%20hosts%20in%20the%20cluster.%20Is%20it%20trying%20to%20talk%20to%20other%20guest%20VMs%20managed%20by%20the%20cluster%2Fhosts%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-949041%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-949041%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27908%22%20target%3D%22_blank%22%3E%40Paul%20Youngberg%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20are%20using%20WinRM%20over%20HTTP%20on%20your%20service%20mode%20gateway%20--%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-961142%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-961142%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%20WinRM%20over%20HTTPS%20on%20my%20service%20mode%20gateway.%20Firewall%20rules%20are%20in%20place%2C%20even%20ran%20'enable-psremoting%20-force'%20and%20'Register-PSSessionConfiguration%20-Name%20Microsoft.PowerShell%20-Force'%20for%20good%20measure.%20No%20luck.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-996279%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996279%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F27908%22%20target%3D%22_blank%22%3E%40Paul%20Youngberg%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20confirming.%26nbsp%3B%20I%20will%20need%20to%20look%20into%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-996293%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-996293%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3Ethanks%20-%20also%20to%20clarify%2C%20we're%20not%20blocking%20WinRM%20over%20HTTP%20requests%20either.%20Ports%20are%20open%20for%20both.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020182%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020182%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330717%22%20target%3D%22_blank%22%3E%40galenb%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20update%20on%20this%3F%20Got%20exactly%20this%20issue%20and%20identical%20to%20what%20others%20have%20reported%20here.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDeploying%20WAC%20as%20the%20primary%20admin%20method%20for%20a%20new%20Azure%20Stack%20HCI%20deployment%20for%20a%20client%20and%20just%20cannot%20get%20past%20this%20CredSSP%20issue...%20Delegation%20seems%20fine%20other%20than%20updates%20and%20diagnostics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1020661%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1020661%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F401146%22%20target%3D%22_blank%22%3E%40stevehootwork%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20us%2C%20upgrading%20to%20version%201910%20(Build%201.2.1910.31005)%20resolved%20the%20CredSSP%20issue.%20However%2C%20we%20wanted%20to%20use%20this%20for%20the%20Updates%20feature%2C%20especially%20cluster-aware%20updates%20on%20our%20HCI.%20Now%2C%20when%20we%20click%20%22Updates%22%20from%20the%20Tools%20side%20menu%20in%20WAC%2C%20%3CSPAN%3ECredSSP%20%3C%2FSPAN%3E%3CSPAN%3Epasses%20and%20we're%20prompted%20with%20a%20%22Let's%20get%20you%20set%20up%22%20message.%20It%20says%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20continue%2C%20we%20need%20to%20set%20up%20a%20few%20things%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20Windows%20Firewall%20is%20in%20use%20on%20the%20cluster%20nodes%2C%20this%20tool%20will%20automatically%20enable%20Windows%20Firewall%20rules%20needed%20on%20each%20cluster%20node%20to%20allow%20remote%20restarts%20during%20updating.%20This%20is%20required%20to%20update%20this%20cluster.%3C%2FLI%3E%3CLI%3EIf%20the%20Cluster-Aware%20Updating%20role%20is%20not%20present%2C%20it%20will%20be%20added.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhen%20you%20click%20%22Go%20for%20it%22%20it%20immediate%20fails%20with%20an%20error%20notification%20that%20reads%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EFailed%20to%20configure%20cluster%20aware%20update%20role%20to%20the%20cluster.%20Error%3A%20(1)%20RemoteException%3A%20Unable%20to%20validate%20that%20the%20cluster%20supports%20the%20Cluster-Aware%20Updating%20role.%20An%20unknown%20validation%20error%20occurred%20on%20node%20%22corp-hci-01%22.%20Additional%20information%3A%20(ClusterUpdateException)%20Failed%20to%20run%20script%20%22Validation%20Script%22%3A%20(PSRemotingTransportException)%20Connecting%20to%20remote%20server%20corp-hci-01%20failed%20with%20the%20following%20error%20message%20%3A%20The%20WinRM%20client%20sent%20a%20request%20to%20an%20HTTP%20server%20and%20got%20a%20response%20saying%20the%20requested%20HTTP%20URL%20was%20not%20available.%20This%20is%20usually%20returned%20by%20a%20HTTP%20server%20that%20does%20not%20support%20the%20WS-Management%20protocol.%20For%20more%20information%2C%20see%20the%20about_Remote_Troubleshooting%20Help%20topic.%20%3D%3D%26gt%3B%20(PSRemotingTransportException)%20Connecting%20to%20remote%20server%20corp-hci-01%20failed%20with%20the%20following%20error%20message%20%3A%20The%20WinRM%20client%20sent%20a%20request%20to%20an%20HTTP%20server%20and%20got%20a%20response%20saying%20the%20requested%20HTTP%20URL%20was%20not%20available.%20This%20is%20usually%20returned%20by%20a%20HTTP%20server%20that%20does%20not%20support%20the%20WS-Management%20protocol.%20For%20more%20information%2C%20see%20the%20about_Remote_Troubleshooting%20Help%20topic.%20(2)%20RemoteException%3A%20Validation%20failed%20for%20adding%20CAU%20cluster%20role.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ESo%20I'm%20pretty%20much%20done%20with%20caring%20about%20it.%20It's%20super%20frustrating%20that%20Microsoft's%20software%20is%20so%20incomplete.%20I%20wonder%20if%20any%20of%20their%20products%20go%20through%20testing.%20Our%20HCI%20setup%20is%20completely%20standard%20and%20out-of-the-box.%20We%20purchased%20it%20through%20a%20certified%20hardware%20reseller.%20And%20basic%20features%20haven't%20worked.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1045122%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1045122%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F401146%22%20target%3D%22_blank%22%3E%40stevehootwork%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDesktop%20or%20Service%20mode%20gateway%3F%26nbsp%3B%20Which%20version%20of%20Windows%20Admin%20Center%20are%20you%20using%3F%26nbsp%3B%20Versions%20prior%20to%201910%20were%20broken%20for%20CredSPP%20in%20Service%20mode.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGetting%20a%20.har%20file%20that%20captures%20the%20failure%20would%20greatly%20aid%20in%20debugging%20the%20issue.%26nbsp%3B%20Generating%20a%20.har%20file%20is%20easily%20done%20using%20Chrome%20or%20Edge%20and%20both%20are%20documented%20on%20the%20web.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1045193%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1045193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216586%22%20target%3D%22_blank%22%3E%40Kelly%20Menzel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20willing%20to%20capture%20the%20repro%20in%20a%20.har%20file%20I%20will%20do%20my%20best%20to%20get%20the%20failure%20diagnosed%20and%20understood.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1050196%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1050196%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F216586%22%20target%3D%22_blank%22%3E%40Kelly%20Menzel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20all%20using%20CredSSP%20with%20a%20service%20mode%20gateway%20there%20is%20one%20more%20thing%20you%20must%20do%20to%20make%20it%20work%20--%20when%20making%20a%20connection%20to%20a%20server%20please%20check%20the%26nbsp%3B%E2%80%9CUse%20these%20credentials%20for%20all%20connections%E2%80%9D%20check%20box%20on%20the%20manage%20as%20credential%20dialog.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20design%20of%20CredSSP%20in%20service%20mode%20relies%20upon%20there%20being%20cached%20credentials%20available%20in%20the%20browser.%26nbsp%3B%20We%20will%20be%20taking%20a%20look%20at%20this%20decision%20and%20the%20subtle%20behavior%20of%20needing%20to%20check%20that%20check%20box%20in%20the%20credential%20dialog%20to%20make%20it%20work%20properly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063981%22%20slang%3D%22en-US%22%3ERe%3A%20Cluster%20Update%20asking%20to%20enable%20CredSSP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063981%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20capture%20a%20.har%20in%20Chrome%20and%20I%20sent%20it%20to%20you%20in%20a%20private%20message.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Konstantinos N. Chionas
Occasional Visitor

I installed Windows Admin Center, its great and working fine, but one of the things it advises me to do is to turn off CredSSP on servers, but when I use the Updates link on cluster page, it tells me that it needs to turn on CredSSP, is this a must? Or there is another way?

35 Replies
Yes, CredSSP is required for the update tool in either Failover or Hyper-Converged cluster manager.

@Jeff Woolslayer 

Do you have a procedure to enable the CredSSP options to allow Windows Admin Center to process cluster updates?

Hi @Paul Westervelt! I see you reached out via email as well. Someone should get back to you on that thread soon. 

 

The gist of it is that WAC should handle all the CredSSP configuration automatically. As a user, you shouldn't have to do anything (other than consent.)

@Jeff Woolslayer 

 

I think I"m seeing a similar issue.  credssp is simply not turning on automatically.  I get an error in WAC when I try and do updates or diagnostics stating "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings"

 

RBAC was off originally, but I tried turning it on (and adding my user to the admin list) and then turned it off, and neither way worked.  I even tried loggined into each server and running  Enable-WSManCredSSP -role server in powershell and that showed that it was enabled, but the updates and diagnostics still came back with the same error.  I"m running v1904 build 1.2.1904.11004 on a windows 2019 server that I"m connecting to with a windows10 desktop and trying to manage a S2D hyperconvered cluster running 2019.

@oikjn 

 

Can you tell me a little more about your desktop/gateway machine?  There is a local group called "Windows Admin Center CredSSP Admins" -- can you tell me if your identity is a member of this group?  Can you tell me which locale you are using on this machine?  And -- can you run the following command in an elevated PowerShell console on this machine and reply with the results:

 

Enable-WSManCredSSP - Role Client -DelegateComputer <The FQDN of one of the cluster nodes>

 

Cheers!

 

Galen

 

Hi @galenb I have the same problem, I run the comand and this is the result.

 

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

@galenb 

 

I too have the same issues and get the same return after setting up each node in one of our clusters:

cfg : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang : en-US
Basic : true
Digest : true
Kerberos : true
Negotiate : true
Certificate : true
CredSSP : true

@John Barreto 

 

Thanks, what about the other questions I asked?  Also, can I have the output from Get-WSManCredSSP?

 

Also service mode or desktop mode?

@tcook37402 

 

Can you look at my reply to John Barreto?  I have the same question for you too...

@galenb 

 

Another me too.   We run Enable-WSManCredSSP on all 4 nodes and get 

 

cfg         : http://schemas.microsoft.com/wbem/wsman/1/config/client/auth
lang        : en-US
Basic       : true
Digest      : true
Kerberos    : true
Negotiate   : true
Certificate : true
CredSSP     : true

 

We are trying to use the Windows Admin Centre Update tool but can not get beyond the "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings".

 

Each node has RBAC applied and CredSSP is enabled and showing its orange badge.

 

Hope someone has some suggestions.

@galenb 

 

sorry I didn't see the notice of the reply from you.  I have a 2019 server VM setup to run WAC and connect to that through my desktop.  I am logging in on the WAC webpage as a domain administrator account.  

 

my desktop doesn't have the group you mentioned, but the WAC computer does and the admin account I use is listed in it.  I ran the command you asked on the WAC computer and tried again and still have the same error.  I did it for both nodes of the cluster and both came back with basic/digest/deberos/negotiate/certificate/credssp all equal to true and cfg:http://schemas.microsoft.com/wbem/wsman/1/config/client/auth  (sorry... couldn't copy/past from VM console).

 

edit:  I just updated to 1904.1 and retried...  same results.

Same here. i has been on every single version of WAC for my cluster. ever since upgraded to 1902, it has been broken! 

just upgraded to WAC1906, same problem!

 

Why cant just someone design error message that is human understandable and suggested action to be able to fix? 

 

Enabling CredSSP Delegation

10:38:34 PM
Type

Error

Message

Couldn't determine if the current user is a member of the Windows Admin Center CredSSP Administrators group. Error: Connecting to remote server wac1 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the wac1 computer. For more information, see the about_Remote_Troubleshooting Help topic.

@galenb  I also have this issue. Setup brand new WAC server on Windows 2019. Added a cluster and all 3 nodes to WAC. On the WAC gateway machine, ran the "Enable-WSManCredSSP" command to all three nodes. output says "true" for all after it runs. On the gateway machine, when I run "Get-WSManCredSSP" on it, I get:
```
The machine is not configured to allow delegating fresh credentials.
This computer is configured to receive credentials from a remote client computer.
```

I have verified that my userID is in the group mentioned for WAC CredSSP Admins" as well.

 

Any other ideas?

Same issue.  All nodes in cluster running WS2019 (March Update). WAC version is 1907 build 1.2.1906.28002.

 
 

Same issue here. It would be nice if there was an official guide to make this work. The way I am trying to set it up is have a centralized WAC VM running 2019 with the latest extension versions and we all connect to it from our respective Windows 10 clients. I am trying to use the Diagnostics module 1.1.10 the Hyper-Converged Cluster Manager to connect to an S2D 2019 cluster. While the module installs fine, the problem comes up in notifications of the following:

 

Error

Enable delegation


Source - Go to Diagnostics
Type

Error

Message

The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings"

 

The user I am trying to use is in the local "Windows Admin Center CredSSP Admins" group on the WAC and the enable-wsmancredssp -role client -delegatecomputer (nodes) has been completed successfully. I even added it to the SDDC instances and failover cluster instance FQDNs. Still does the same thing every time.

 

 

I'm having the same issue. It says access is blocked based on the RBAC settings, but the thing is; I don't even have RBAC enabled since this is a lab.

@Haribo 

 

I need more info about your gateway setup...

 

Desktop or service mode?

 

What is the execution policy of you gateway machine?  RemoteSigned. AllSigned, etc...

 

Are your connections FQDN or IP addresses?

 

TIA!

 

Galen

@Reng Kwan 

 

WAC is a never-ending battle for us it seems.

 

We too were receiving the error, "Couldn't determine if the current user is a member of the Windows Admin Center CredSSP Administrators group. Error: Connecting to remote server wac1 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the wac1 computer. For more information, see the about_Remote_Troubleshooting Help topic."

 

We had this problem when we tried to use the HCI Updates and Diagnostics features, two features that rely on CredSSP, as well as when we tried to connect to the WAC server (itself) via Computer Management in WAC. 

 

We tracked this down to having IPv6 enabled. When we ran `Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6` We could connect to the server.

 

However, after spending 6 hours figuring that out, we still couldn't use The HCI Updates and Diagnostics features (which we need because our HCI cluster also doesn't work correctly and we need to use Diagnostics to troubleshoot it). Now we're getting a different error, "The workflow to enable CredSSP has been completed, but there was an error. Exception: This operation was blocked by role based access control settings." 

 

So I've kind of given up. There is even less I can find online for this problem. And this is the only posting I've found. 

@galenb running in service mode on one of the cluster nodes. ExecutionPolicy was not changed from what it is by default. Connections were FQDN.

@Haribo 

 

Thanks for confirming service mode.  We are currently changing how the JEA endpoint that we use to configure CredSSP client on the gateway is configured to fix the issues reported.  One of the design goals was to not require that every user of the Windows Admin Center needed to be an administrator of the gateway host server to configure CredSSP.

 

Is it possible to use desktop mode until the service mode fixes are available?  Desktop mode seems to be working more reliably...  If you try desktop mode and have problems please let me know.

@Kelly Menzel 

 

Are you running the Admin Center gateway in service mode on a server or in desktop mode on a client machine? 

 

If you are running in service mode there are known issues with how implemented CredSSP configuration of the gateway.  We are currently fixing those issues and will have a new release soon.

 

If you are running desktop mode and having issues can you reply with the results from Get-ExecutionPolicy?

@galenb 

The WAC gateway is running as a service on a Windows Server 2019 virtual machine. I will try running it on my workstation in desktop mode to get the diagnostics information. I didn't think about trying that.

Same issue here - following. Using 1909 v1.2.1909.03002 on a guest VM (gateway), WinRM over HTTPS, Hyper-V 2019 Cluster, and I haven't configured Kerberos for SSO yet.

@Paul Youngberg 

 

Paul, can you be more specific about the error you are seeing with your 1909 server mode gateway?

@galenb 

First I log in to WAC, then I Manage the Hyper-V cluster, then I click "Updates"

2019-10-18 12_47_31-Updates - Cluster Manager - Windows Admin Center.png

After 30 seconds or so I get this

2019-10-18 12_47_47-Updates - Cluster Manager - Windows Admin Center.png

WinRM over HTTPS is working fine for the cluster and two hosts in the cluster. Is it trying to talk to other guest VMs managed by the cluster/hosts as well?

@Paul Youngberg 

 

You are using WinRM over HTTP on your service mode gateway -- correct?

@galenb WinRM over HTTPS on my service mode gateway. Firewall rules are in place, even ran 'enable-psremoting -force' and 'Register-PSSessionConfiguration -Name Microsoft.PowerShell -Force' for good measure. No luck.

@Paul Youngberg 

 

Thanks for confirming.  I will need to look into this.

@galenbthanks - also to clarify, we're not blocking WinRM over HTTP requests either. Ports are open for both.

Hi @galenb,

 

Any update on this? Got exactly this issue and identical to what others have reported here. 

 

Deploying WAC as the primary admin method for a new Azure Stack HCI deployment for a client and just cannot get past this CredSSP issue... Delegation seems fine other than updates and diagnostics.

 

Thanks

@stevehootwork 

 

For us, upgrading to version 1910 (Build 1.2.1910.31005) resolved the CredSSP issue. However, we wanted to use this for the Updates feature, especially cluster-aware updates on our HCI. Now, when we click "Updates" from the Tools side menu in WAC, CredSSP passes and we're prompted with a "Let's get you set up" message. It says,

 

To continue, we need to set up a few things:

  • If Windows Firewall is in use on the cluster nodes, this tool will automatically enable Windows Firewall rules needed on each cluster node to allow remote restarts during updating. This is required to update this cluster.
  • If the Cluster-Aware Updating role is not present, it will be added.

When you click "Go for it" it immediate fails with an error notification that reads:

 

Failed to configure cluster aware update role to the cluster. Error: (1) RemoteException: Unable to validate that the cluster supports the Cluster-Aware Updating role. An unknown validation error occurred on node "corp-hci-01". Additional information: (ClusterUpdateException) Failed to run script "Validation Script": (PSRemotingTransportException) Connecting to remote server corp-hci-01 failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic. ==> (PSRemotingTransportException) Connecting to remote server corp-hci-01 failed with the following error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic. (2) RemoteException: Validation failed for adding CAU cluster role.

 

So I'm pretty much done with caring about it. It's super frustrating that Microsoft's software is so incomplete. I wonder if any of their products go through testing. Our HCI setup is completely standard and out-of-the-box. We purchased it through a certified hardware reseller. And basic features haven't worked.

@stevehootwork 

 

Desktop or Service mode gateway?  Which version of Windows Admin Center are you using?  Versions prior to 1910 were broken for CredSPP in Service mode.

 

Getting a .har file that captures the failure would greatly aid in debugging the issue.  Generating a .har file is easily done using Chrome or Edge and both are documented on the web.

@Kelly Menzel 

 

If you are willing to capture the repro in a .har file I will do my best to get the failure diagnosed and understood.

@Kelly Menzel 

To all using CredSSP with a service mode gateway there is one more thing you must do to make it work -- when making a connection to a server please check the “Use these credentials for all connections” check box on the manage as credential dialog.

 

The design of CredSSP in service mode relies upon there being cached credentials available in the browser.  We will be taking a look at this decision and the subtle behavior of needing to check that check box in the credential dialog to make it work properly.

I was able to capture a .har in Chrome and I sent it to you in a private message. Thanks!

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies