Friday 20 February 2009

Hyper-V – General Access Denied Error for ISOs via Network Share

Once the Hyper-V server on Server Core, or Full, has been set up, there is one more series of steps that need to happen before the Hyper-V server will be allowed to mount a network share located ISO file for VMs to use.

Before those steps are done, Hyper-V will throw a “General access denied error” whenever an attempt is made to mount a network located ISO in a VM.

We alluded to this procedure before: Hyper-V - Access to network shares for ISOs (previous blog post). Though at that point, we still had not found the exact methodology for getting the network ISOs accessible. Our methodology for Virtual Server 2005 R2 did not work.

In the end, there was a source for the solution: Jose Barreto’s Blog: Using Constrained Delegation to remotely manage a server running Hyper-V that uses CIFS/SMB file shares. Note that his blog came a couple of months after our initial post above.

Configuring the Constrained Delegation is actually quite simple:

  1. On the server with the shared ISO folder:
    1. Set both the NTFS and the Share permissions to FULL for the Hyper-V computer account.
  2. On a domain DC:
    1. Open Active Directory Users and Computers (SBS Console –> Advanced on 2003, SBS Native Tools Management on 2008)
    2. Find the Hyper-V server and double click on it.
    3. Click the Delegation tab.
    4. Click Trust this computer for delegation to the specified services only radio button.
    5. Click the Use any authentication protocol radio button.
    6. Click the Add button.
    7. Click the Users or Computers… button.
    8. Type the server’s name and click the Check Names button. An underline will appear under the server’s name if the correct object was found in Active Directory.
    9. Click on the cifs Service Type and click the OK button.
    10. Click the Apply and OK buttons.

Once the above two procedures have been accomplished, reboot the Hyper-V box if it still gives the General Access Denied error. Once rebooted, the ISO should mount in the VM via the Hyper-V Manager with no problems.

A screenshot of what the Constrained Delegation setting looks like:09-02-20 Hyper-V Constrained Delegation Settings in ADUC

Hyper-V Server properties with Constrained Delegation Enabled

    Note that the above screenshot is the properties for the Hyper-V role enabled server! No changes need to be made to the file server’s AD properties. Only the permissions on the folder share and NTFS permissions need to be modified on that box.

    Again, thanks to Jose Barreto’s Blog: Using Constrained Delegation to remotely manage a server running Hyper-V that uses CIFS/SMB file shares for the right answer to our problem.

    Philip Elder
    MPECS Inc.
    Microsoft Small Business Specialists

    *All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

    Windows Live Writer

    1 comment:

    Anonymous said...

    Great stuff! Helped me a lot, even though my setup had a slight twist. I am running 3 Hyper-V 2008 R2 servers. One of them has a USB disk with ISO's attached to it. Thanks to this article i managed to setup a share on the first Hyper-V server and mount the ISO's on the other two.