Hyper-V VMMS fails to register SPN when NTDS port restriction is configured on the domain controller

View products that this article applies to.

Symptoms

Consider the following scenario:

You have a domain-joined Hyper-V server that is running Windows Server 2016 or a later version of Windows Server.

You have configured the domain controllers to have an NTDS port restriction by setting the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Registry value: TCP/IP Port
Value type: REG_DWORD
Value data: (available port)

The TCP port that's configured in this registry path is set to a port number that is not in the default dynamic port range (from 49152 to 65535).

In this scenario, the Hyper-V Virtual Machine Management Service (VMMS) fails to register the Service Principal Names (SPNs).

For example, the following list shows SPNs for a server that's named “Hyper1” in a domain that's named “contoso.com”:

Microsoft Virtual System Migration Service/Hyper1
Microsoft Virtual System Migration Service/Hyper1.contoso.com
Hyper-V Replica Service/Hyper1
Hyper-V Replica Service/Hyper1.contoso.com
Microsoft Virtual Console Service/Hyper1
Microsoft Virtual Console Service/Hyper1.contoso.com

These SPNs are required for many of the Hyper-V and High Availability features.

Note The Microsoft-Windows-Hyper-V-VMMS-Admin log shows error event 14050:

Failed to register the service principal name 'Hyper-V Replica Service'.
Failed to register the service principal name 'Microsoft Virtual System Migration Service'.
Failed to register the service principal name 'Microsoft Virtual Console Service'.

↑ Back to the top

Cause

This issue occurs because the Hyper-V VMMS service uses Windows service hardening. By default, the service is restricted to the dynamic port range (49152 through 65535).

When the VMMS tries to reach the domain controller through an NTDS port that is not in this range, the SPN registration fails.

If security auditing for “Filtering Platform Packet Drop” is enabled, “Audit Failure” event 5152 is also logged when this issue occurs:

The Windows Filtering Platform has blocked a packet.
Application Information:
   Process ID:       7276
   Application Name:   \device\harddiskvolume4\windows\system32\vmms.exe
Network Information:
   Direction:       Outbound
   Source Address:       192.168.1.2
   Source Port:       51411
   Destination Address:   192.168.1.1
   Destination Port:       23456
   Protocol:       6

Note The following command can be used to enable logging for "Audit Failure":

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:enable

↑ Back to the top

Resolution

To fix the issue, use one of the following methods.

Method 1

Remove the NTDS TCP port restriction, and then revert to the configuration that uses the default dynamic port range.

Method 2

Change the currently configured NTDS TCP-restricted port to a port number that's within the default dynamic range.

Method 3

Add an outgoing rule for the restricted NTDS port (23456 in the following example) on each Hyper-V host. To do this, follow these steps:

Start a text editor, such as Notepad.

Copy the following code, and then paste the code into the text file:

'================================================
'This VBScript adds the port 23456 for outgoing traffic  
'run as cscript addportrange.vbs on the Hyper-V host
option explicit
'IP protocols
const NET_FW_IP_PROTOCOL_TCP = 6
const NET_FW_IP_PROTOCOL_UDP = 17
'Action
const NET_FW_ACTION_BLOCK = 0
const NET_FW_ACTION_ALLOW = 1
'Direction
const NET_FW_RULE_DIR_IN = 1
const NET_FW_RULE_DIR_OUT = 2
'Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
'Get the Service Restriction object for the local firewall policy.
Dim ServiceRestriction
Set ServiceRestriction = fwPolicy2.ServiceRestriction
'If the service requires sending/receiving certain type of traffic, then add "allow" WSH rules as follows
'Get the collection of Windows Service Hardening networking rules
Dim wshRules
Set wshRules = ServiceRestriction.Rules
'Add outbound WSH allow rules
Dim NewOutboundRule
Set NewOutboundRule = CreateObject("HNetCfg.FWRule")
NewOutboundRule.Name = "Allow outbound traffic from VMMS service to TCP 23456"
NewOutboundRule.ApplicationName = "%systemDrive%\WINDOWS\system32\vmms.exe"
NewOutboundRule.ServiceName = "vmms"
NewOutboundRule.Protocol = NET_FW_IP_PROTOCOL_TCP
NewOutboundRule.RemotePorts = "23456"
NewOutboundRule.Action = NET_FW_ACTION_ALLOW
NewOutboundRule.Direction = NET_FW_RULE_DIR_OUT
NewOutboundRule.Enabled = true
wshRules.Add NewOutboundRule
'end of script
'================================================

Save the file as "Addportrange.vbs".
Run the script as cscript on the Hyper-V host.

Note You can also use PowerShell to add the outgoing traffic exception, as follows:

(New-Object -ComObject HNetCfg.FwPolicy2).ServiceRestriction.Rules
Get-NetFirewallRule -PolicyStore ConfigurableServiceStore
$Rule = @{
    DisplayName = "Allow outbound traffic from VMMS service to TCP 23456"
    Direction = "Outbound"
    InterfaceType = "Any"
    Action =  "Allow"
    Protocol =  "TCP"
    Service = "vmms"
    Program = "$($env:systemdrive)\WINDOWS\system32\vmms.exe"
    Enabled = "TRUE"
    RemotePort = "23456"
    PolicyStore = "ConfigurableServiceStore"
}
New-NetFirewallRule @Rule

↑ Back to the top