Delegation to connect seems not working

%3CLINGO-SUB%20id%3D%22lingo-sub-1078503%22%20slang%3D%22en-US%22%3EDelegation%20to%20connect%20seems%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078503%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWAC%201910%20on%20Windows%20Server%202019%20as%20a%20Gateway%20using%20Server%20Certificate%20from%20internal%20CA%20(Windows%20Firewall%20is%20disabled%20-%20when%20enable%20it%2C%20I%20could%20not%20connect%20at%20all%26nbsp%3Balthough%20Firewall%20Rules%20for%20%22Remote%20Service%20Management%22%20is%20enabled%2C%20but%20this%20is%20different%20issue%20I%20delay%26nbsp%3B)%2C%20I%20able%20to%26nbsp%3BAdd%26nbsp%3Bsome%20Servers%20within%20the%20AD%20Domain%2C%20however%20could%20not%20connect%20to%20any%20of%20them%2C%20and%20always%20get%20%22Specify%20Your%20Credentials%22%20with%20Warning%20as%20%22To%20Perform%20a%20single%20sign-in%20using%20your%20Windows%20account%2C%20you%20might%20need%20to%20set%20up%20Kerberos%20delegation%22%2C%3C%2FP%3E%0A%3CP%3EI%20already%20created%20the%20required%20delegation%20using%20PowerShell%20command%20in%20documentation%20as%20below%3A%3C%2FP%3E%0A%3CP%3ESet-ADComputer%20-Identity%20(Get-ADComputer%20node01)%20-PrincipalsAllowedToDelegateToAccount%20(Get-ADComputer%20wac)%3C%2FP%3E%0A%3CP%3E%2B%20nodes01%20%3D%20target%20Server%20computer%20name%3C%2FP%3E%0A%3CP%3E%2B%20WAC%20%3D%20Windows%20Admin%20Center%20computer%20name%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20tried%20on%20both%20Windows%20with%20Desktop%20%26amp%3B%20with%20Windows%20Core%2C%20and%20for%20both%20I%20have%20the%20same%20issue%2C%3C%2FP%3E%0A%3CP%3EWhat%20can%20be%20the%20cause%20of%20the%20issue%3F%20and%20how%20can%20be%20solved%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1078534%22%20slang%3D%22en-US%22%3ERe%3A%20Delegation%20to%20connect%20seems%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078534%22%20slang%3D%22en-US%22%3E%3CP%3EBTW%2C%20if%20I%20ignore%20the%20delegation%20warning%20and%20click%20%22Continue%22%2C%20I%20get%20different%20error%20as%20below%3A%3C%2FP%3E%0A%3CP%3E%22The%20client%20cannot%20connect%20to%20the%20destination%20specified%20in%20the%20request.%20verify%20that%20the%20service%20on%20the%20destination%20is%20running%20and%20is%20accepting%20requests...%22%3C%2FP%3E%0A%3CP%3EAnd%20%22WINRM%26nbsp%3BQC%22%20shows%20that%26nbsp%3BWinRM%20service%20is%20already%20running%20%26amp%3B%20setup%20for%20Remote%20Management%22%3C%2FP%3E%0A%3CP%3EAlso%20I%20already%20allowed%20Remote%20Management%20using%20SCONFIG%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hi,

 

WAC 1910 on Windows Server 2019 as a Gateway using Server Certificate from internal CA (Windows Firewall is disabled - when enable it, I could not connect at all although Firewall Rules for "Remote Service Management" is enabled, but this is different issue I delay ), I able to Add some Servers within the AD Domain, however could not connect to any of them, and always get "Specify Your Credentials" with Warning as "To Perform a single sign-in using your Windows account, you might need to set up Kerberos delegation",

I already created the required delegation using PowerShell command in documentation as below:

Set-ADComputer -Identity (Get-ADComputer node01) -PrincipalsAllowedToDelegateToAccount (Get-ADComputer wac)

+ nodes01 = target Server computer name

+ WAC = Windows Admin Center computer name

 

I tried on both Windows with Desktop & with Windows Core, and for both I have the same issue,

What can be the cause of the issue? and how can be solved?

1 Reply
Highlighted

BTW, if I ignore the delegation warning and click "Continue", I get different error as below:

"The client cannot connect to the destination specified in the request. verify that the service on the destination is running and is accepting requests..."

And "WINRM QC" shows that WinRM service is already running & setup for Remote Management"

Also I already allowed Remote Management using SCONFIG