🟠 High   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Planned maintenance cannot evacuate VMs because live migration authentication fails.

Environment & Reproduction

Windows Server 2022 build 20348 Hyper-V cluster using Kerberos live migration.

Get-VMHost | Select VirtualMachineMigrationEnabled,VirtualMachineMigrationAuthenticationType
Move-VM -Name APP01 -DestinationHost HV02 -WhatIf
setspn -L HV01

Root Cause Analysis

Constrained delegation for CIFS/Microsoft Virtual System Migration Service is missing or set on wrong object.

Quick Triage

Validate migration authentication mode and SPN health.

Get-ClusterNode
setspn -X
Get-WinEvent -LogName 'Microsoft-Windows-Hyper-V-VMMS-Admin' -MaxEvents 60

Step-by-Step Diagnosis

Check AD computer object delegation settings for all hosts.

Get-ADComputer HV01 -Properties msDS-AllowedToDelegateTo
Get-ADComputer HV02 -Properties msDS-AllowedToDelegateTo
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Live migration and Kerberos delegation checks β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Configure constrained delegation for required services and retry migration.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-VMHost -VirtualMachineMigrationAuthenticationType Kerberos
# In AD Users and Computers, enable constrained delegation for:
# cifs/HV02.contoso.local and Microsoft Virtual System Migration Service/HV02.contoso.local
klist purge
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Migration authentication failure logs β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use CredSSP temporarily in tightly controlled maintenance windows.

Set-VMHost -VirtualMachineMigrationAuthenticationType CredSSP
Move-VM -Name APP01 -DestinationHost HV02

Verification & Acceptance Criteria

Live migration should complete without credential prompts or failures.

Move-VM -Name APP01 -DestinationHost HV02
Get-VM -ComputerName HV02 APP01

Rollback Plan

Return to prior authentication mode if delegation changes are blocked.

Set-VMHost -VirtualMachineMigrationAuthenticationType CredSSP

Prevention & Hardening

Standardize host build and delegation template for all cluster nodes.

Get-VMHost -ComputerName HV01,HV02 | Select ComputerName,VirtualMachineMigrationAuthenticationType

Related to duplicate SPNs and stale DNS host records.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn Hyper-V live migration authentication and delegation requirements.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.