Virtual machine migration failed at migration source
Failed to establish a connection with host ... the credentials supplied to the package were not recognised (0x8009030D)
When trying to move a virtual machine from one host to another using Hyper-V manager in a domain environment, the following error is generated by the move wizard:
There was an error during move operation.
Virtual machine migration operation failed at migration source.
Failed to establish connection with host 'TARGET': The credentials supplied to the package were not recognised (0x8009030D).
The Virtual Machine Management service failed to authenticate the connection for a Virtual Machine migration at the source host: no suitable credentials available. Make sure the operation is initiated on the source host of the migration, or the source host is configured to use Kerberos for the authentication of migration connections and Constrained Delegation is enabled for the host in Active Directory.
Where 'TARGET' is the name of the new host that you are trying to migrate the virtual machine to.
This is caused by a trust issue - both computers (or possibly just the target one) needs to be configured to trust the other.
- Log into a domain controller for the domain.
- Open "Active Directory Users and Computers".
- Find the target server (the one you are trying to migrate to) and open its properties.
- On the "Delegation" tab, either select:
"Trust this compute for delegation to specific services only"
Whilst you could select "Trust this computer for delegation to any service (Kerberos only)" it is probably better to restrict it to only those computers where you need to delegate trust.
- Ensure that "Use Kerberos only" is selected.
- Click [Add...] and add the name of the source server, you will also be asked for the name of a service, select both "cifs" and "Microsoft Virtual System Migration Service".
- Repeat for the source server - so it trusts the destination server in just the same way.
- If you have more than one domain controller then you may
need to force them to replicate the changes between them.
To force the replication run "Active Directory Sits and Services", navigate to Sites → Default-First-Named-Site → Servers → Expand the server that you just made changes on → expand NTDS Settings, right click on each entry and select "Replicate Now".
To be honest its easier to wait, and the changes are it will have been replicated by the time you finish anyway.
- Ensure that live migration is enabled at both servers with
the correct authentication protocol.
Do this by opening the "Hyper-V settings ..." for each server via Hyper-V Manager.
- Under "Live Migrations" check that:
"Enable incoming and outgoing live migrations" is checked
and that under "Authentication protocol" you have "Use Kerberos" selected. If you don't see this then it may be under an expandable section "Advanced Features".
Save any changes.
You should now be able to successfully retry the move. If you still get the error then check that you have not missed any of the settings above.
About the author: Brian Cryer is a dedicated software developer and webmaster. For his day job he develops websites and desktop applications as well as providing IT services. He moonlights as a technical author and consultant.