"Validate the cluster" fails immediately, and there's no CredSSP popup or message

[laurenbo]

Hi there, I cannot get to the actual Cluster Validation process. In step 3.1 "Validate Cluster", I get the following error message instantly: "Something went wrong with enabling the Credential Security Support Provider protocol (CredSSP). This is a known issue that may be fixed in a future Windows Admin Center update. See the known issues section of the documentation at aka.ms/deploy-hci for instructions to work around this issue." The notification says a bit more: "Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer. For more information, see the about_Remote_Troubleshooting Help topic." The doc says "If the Credential Security Service Provider (CredSSP) pop-up appears, select Yes to temporarily enable CredSSP for the wizard to continue. Once your cluster is created and the wizard has completed, you'll disable CredSSP to increase security.", but there's no popup nor the Message Box mentioned in the present guide. I've run all the workarounds in the "Troubleshoot" section, rebooted everyone, but still no luck. Any idea ? Something missing in MGMT01 ?

[mattmcspirit]

Sorry, i re-read your message and deleted my initial response, however you must have received it anyway. Outside of the workarounds we've written, Jan over on YouTube shows some steps to troubleshoot cluster validation https://youtu.be/7ONMTDzDNcM?t=5388, however he does get the CredSSP popup.

Can I check - what is your WAC version number, and also, did you join the nodes to the domain using my PowerShell, or using WAC itself?

Thanks, Matt

[laurenbo]

Matt - my WAC is 1.2.2007.18002, and yes I used all the PowerShell you wrote, especially for joining nodes to the domain. I'm watching Jan's show as of now, to chase this CredSSP thing. Thanks !

[mattmcspirit]

Great, thanks for confirming - I'm checking internally to see what a workaround could be - I've seen it once, and the documented workaround steps worked for me, but I'm checking to see what others have seen.

[mattmcspirit]

If you run the following on WAC, what results do you get?

setspn -L

[laurenbo]

Missing parameter: accountname

[mattmcspirit]

ahh, GitHub missed off the key word:

setspn -L nodeName

[laurenbo]

here are the results: C:\Users\labadmin>setspn -L azshcinode01 Registered ServicePrincipalNames for CN=AZSHCINODE01,CN=Computers,DC=azshci,DC=local: Hyper-V Replica Service/AZSHCINODE01 Hyper-V Replica Service/AZSHCINODE01.azshci.local Microsoft Virtual System Migration Service/AZSHCINODE01 Microsoft Virtual System Migration Service/AZSHCINODE01.azshci.local Microsoft Virtual Console Service/AZSHCINODE01 Microsoft Virtual Console Service/AZSHCINODE01.azshci.local WSMAN/AZSHCINODE01 WSMAN/AZSHCINODE01.azshci.local TERMSRV/AZSHCINODE01 TERMSRV/AZSHCINODE01.azshci.local RestrictedKrbHost/AZSHCINODE01.azshci.local HOST/AZSHCINODE01.azshci.local RestrictedKrbHost/AZSHCINODE01 HOST/AZSHCINODE01

[mattmcspirit]

Can you run this on MGMT01 and the nodes?

Get-WSManCredSSP

Let me know the output for MGMT01 and each of the nodes (unless all nodes show the same message)

[laurenbo]

MGMT01, AZSHCINODE01 and 02 all return the same message: The machine is not configured to allow delegating fresh credentials. This computer is not configured to receive credentials from a remote client computer.

[mattmcspirit]

OK, so on MGMT01

$servers = "AZSHCINODE01", "AZSHCINODE02", "AZSHCINODE01.azshci.local", "AZSHCINODE02.azshci.local"
Enable-WSManCredSSP -Role "Client" -DelegateComputer "$servers"

Then reboot MGMT01.

Then once MGMT01 is back online, on each of your nodes:

Enable-WSManCredSSP -Role "Server"

Then reboot the node.

[laurenbo]

I did all these steps, waited 10 min after reboot before restarting WAC wizard, but "Validate the Cluster" does not go beyond the same initial step: "Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer."

[mattmcspirit]

OK, and what is the result of

Get-WSManCredSSP

On MGMT01 and the nodes as a result?

Thanks, Matt

[laurenbo]

1) on MGMT01: The machine is configured to allow delegating fresh credentials to the following target(s): wsman/AZSHCINODE01 AZSHCINODE02 AZSHCINODE01.azshci.local AZSHCINODE02.azshci.local This computer is not configured to receive credentials from a remote client computer. 2) on AZSHCINODE01 and AZSHCINODE02: The machine is not configured to allow delegating fresh credentials. This computer is configured to receive credentials from a remote client computer.

[mattmcspirit]

OK thanks. I'll have to do some more investigation as unfortunately, I can't replicate the issue - each time I've walked through the process, i've been prompted for the CredSSP message, and things have been fine. I'll have to discuss internally and get back to you. Thanks for your patience.

[mattmcspirit]

Could you see if you get the same result on MGMT01, as here: https://sysadminplus.blogspot.com/2016/11/the-ws-management-service-cannot.html, when you run:

Get-PSSessionConfiguration

[laurenbo]

yes Matt - I get similar results on MGMT01, plus 2 other entries that looks good too: PS C:\Windows\system32> Get-PSSessionConfiguration

Name : microsoft.powershell PSVersion : 5.1 StartupScript : RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name : microsoft.powershell.workflow PSVersion : 5.1 StartupScript : RunAsUser : Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name : microsoft.powershell32 PSVersion : 5.1 StartupScript : RunAsUser : Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name : microsoft.sme.credssp PSVersion : 5.1 StartupScript : RunAsUser : Permission : MGMT01\LocalAdmin AccessAllowed

Again, thanks for your time in research & thinking about the issue I face.

[mauricehermens]

Hi, i've got the same issue when I run the cluster validation on de MGMT01 with AZSHCI\LabAdmin user logged in.

_"Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer. For more information, see the about_RemoteTroubleshooting Help topic."

When i run the cluster validation with the user MGMT01\LocalAdmin, I receive the CredSSP popup to enable it, and could successfully run the validation after it!

[laurenbo]

@mauricehermens thx for sharing, I tried it on my system, and got the same GOOD results as yours ! @mattmcspirit seems weird to use a local account on MGMT01 to build a Domain-attached cluster. Anyway on the "Creating a (local) cluster" chapter, nothing is mentioned about the identity that needs to be used in MGMT01 to run WAC: https://github.com/Azure/AzureStackHCI-EvalGuide/blob/main/nested/steps/4_AzSHCICluster.md#creating-a-local-cluster Maybe some clarification in favor of AZSHCI\labadmin or MGMT01\localadmin could me mentioned there ? Methinks the AZSHCI\labadmin should do the job anyway, hence the issue still exists.

[mattmcspirit]

Thanks both of you for troubleshooting this. I'm continuing to explore why this occurs - it seems very strange that a local account works, yet the domain account doesn't, however I can't get it to replicate in my environments.

Also, good catch on me not mentioning that you should be logged in as labadmin - it is just assumed from the previous step, but I will make a note to call this out when I have more info on the issue.

Thanks, Matt

[romanboba]

I went into exactly the same problem "WSMan: drive on the mgmt01 computer" when using the https://github.com/Azure/AzureStackHCI-EvalGuide/blob/main/nested/README.md , deployment in Azure and using powershell scripts (using azshci\labadmin user on MGMT01). When trying to validate the cluster logged on as localadmin user got the error:

[mattmcspirit]

@romanboba - what happens if you try to validate when logged in as azshci\labadmin (logged in to both MGMT01, and the WAC portal as azshci\labadmin)?

Did you install WAC logged in as labadmin, or localadmin?

Thanks!

[romanboba]

@romanboba - what happens if you try to validate when logged in as azshci\labadmin (logged in to both MGMT01, and the WAC portal as azshci\labadmin)? @mattmcspirit Result is the same error : Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Connecting to remote server mgmt01 failed with the following error message : The WS-Management service cannot process the request. Cannot find the microsoft.sme.powershell session configuration in the WSMan: drive on the mgmt01 computer.

Did you install WAC logged in as labadmin, or localadmin? Well, to be honest , I'm not 100% sure, but I tried to follow the installation manual , so I would say I used azshci\labadmin If you think this can be an issue , I can redeploy and reconfigure MGMT01 using azshci\labadmin.

Thanks!

[ElhamNsr]

Hello Everyone. I have the same error. Trying to Deploy 2Node Azure Stack HCI OS.

Tryed the Local Login. No Changes.

My Error:

Validate the cluster Error Something went wrong with enabling the Credential Security Support Provider protocol (CredSSP). This is a known issue that may be fixed in a future Windows Admin Center update. See the known issues section of the documentation at aka.ms/deploy-hci for instructions to work around this issue.

Error Error in cluster validation

3:40:14 PM Source Go to Cluster Creation. Type Error

Message Could not validate cluster. Error: The workflow to enable CredSSP has been completed, but there was an error. Beim Verbinden mit dem Remoteserver "admincenter" ist folgender Fehler aufgetreten: Der WS-Verwaltungsdienst kann die Anforderung nicht verarbeiten. Die microsoft.sme.powershell-Sitzungskonfiguration kann im WSMan:-Laufwerk auf dem admincenter-Computer nicht gefunden werden. Weitere Informationen finden Sie im Hilfethema "about_Remote_Troubleshooting".

My AdminCenter is running on a German Windows Server (AdminCenter is running in English USA) Azure Stack HCI OS is running in en_US

Any Idea where i can check? Tryed DomAdmin and LocalAdmin

There is no CredSSP Popup

[sjeanjean]

Hello, Same error on the Validate Cluster step.

The Windows Admin Center was installed with the LocalAdmin account. I have reinstalled WAC with the azshci\labadmin account and the problem was gone.

BTW, I have also changed the locale to en_US, but I don't known if it was mandatory.

[mattmcspirit]

Thanks for this @sjeanjean - I'll be working to do a full review and update of the guide next week, factoring in any changes for WAC 2009, and setting up for AKS-HCI, so i'll be sure to ensure that correct accounts are highlighted correctly.

Thanks!

[mattmcspirit]

I believe this to be fixed in the latest release, so please let me know if that's not the case and we can re-open.