Hyper-V Live Migration Fails at 80–90% After Security Hardening — Kerberos Constrained Delegation Misconfiguration

Indicators

• Live Migration of VMs between cluster nodes fails at 80–90% completion
• Event ID 21502 in Microsoft-Windows-Hyper-V-High-Availability log: Virtual Machine Migration Service failed to establish authentication
• Event ID 22038 in Microsoft-Windows-Hyper-V-High-Availability log: Virtual Machine Migration Service failed to establish authentication
• Error messages indicate security context negotiation failure or access denied during Live Migration
• Hosts cannot be drained for monthly patching without downing guest workloads

Likely causes

• Stricter default Kerberos constrained delegation requirements introduced by recent platform security hardening updates invalidate previously sufficient delegation configurations on cluster host computer objects
• Host computer objects in Active Directory are missing explicit Constrained Delegation entries for the Microsoft Virtual System Migration Service paths on both source and destination nodes
• Delegation validation mechanics tightened across active cluster schemas prevent the Virtual System Migration Service from authenticating between hosts without explicit SPN delegation

Diagnostic steps

1. Open Event Viewer on the source Hyper-V cluster node. Navigate to Applications and Services Logs > Microsoft > Windows > Hyper-V-High-Availability. Filter for Event ID 21502 and Event ID 22038.
   Confirms Live Migration failure is caused by Kerberos/authentication negotiation failure rather than network, storage, or resource issues.
2. Reproduce a Live Migration attempt and observe the exact percentage at which it fails. Note the exact error text (security context negotiation failure or access denied).
   Validates the failure signature matches this known issue pattern (80–90% completion) and rules out intermittent or unrelated failures.
3. Open Active Directory Users and Computers (ADUC). Locate the computer object for each Hyper-V host node involved. Right-click > Properties > Delegation tab. Check if 'Trust this computer for delegation to specified services only (Kerberos)' is configured and whether the Microsoft Virtual System Migration Service is listed.
   Determines whether Constrained Delegation is present and correctly scoped for the Virtual System Migration Service on both source and destination host computer objects.
4. Cross-reference current delegation configuration: both source and destination host computer objects must have Constrained Delegation explicitly allowing the 'Microsoft Virtual System Migration Service' SPN for the counterpart host. Document any missing entries.
   Pinpoints exactly which host computer objects and SPN entries are absent, providing a clear remediation target.
5. Review recent change records or patch history (Get-HotFix or WSUS/SCCM reports) to identify whether recent platform security hardening updates were applied prior to the onset of Live Migration failures.
   Confirms stricter Kerberos constraint requirements from security hardening are the trigger and scopes whether all cluster nodes or only recently patched ones are affected.

Resolution path

• Open Active Directory Users and Computers (ADUC) with Domain Admin credentials. For each Hyper-V cluster node computer object, navigate to Properties > Delegation tab.
• Select 'Trust this computer for delegation to specified services only' and choose 'Use Kerberos only'. Click 'Add' to add the Microsoft Virtual System Migration Service SPN.
• Specify the counterpart host(s) and select 'Microsoft Virtual System Migration Service' from the available services. Configure this symmetrically — source host must delegate to destination, destination must delegate to source (and to all other cluster nodes participating in Live Migration).
• Apply and save delegation settings on all cluster node computer objects. Wait at least 15 minutes for AD replication or force it using: repadmin /syncall /AdeP
• Flush Kerberos tickets on affected hosts using: klist purge
• Restart the Virtual Machine Migration Service on affected Hyper-V hosts if issues persist after ticket purge.
• Reattempt Live Migration of a test VM between previously failing source and destination nodes. Verify it completes to 100% without error.

Prevention

• Include verification of Constrained Delegation configuration for all Hyper-V cluster node computer objects as a pre-patching checklist item before applying platform security hardening updates, ensuring Microsoft Virtual System Migration Service SPNs are explicitly configured for all node pairs
• After any security hardening update or Active Directory schema change affecting cluster nodes, perform a test Live Migration between all node pairs as part of post-change validation before returning the cluster to production use
• Maintain documented baseline Active Directory delegation configurations for all Hyper-V cluster computer objects so deviations introduced by hardening updates can be rapidly detected and corrected

Tools

• Active Directory Users and Computers (ADUC) — configure Constrained Delegation on host computer objects
• Event Viewer (Microsoft-Windows-Hyper-V-High-Availability log) — identify Event ID 21502 and 22038
• Failover Cluster Manager — initiate and monitor Live Migration
• klist (built-in Windows CLI) — purge Kerberos tickets to force re-authentication after delegation changes
• repadmin (built-in Windows CLI) — force AD replication to propagate delegation changes

References

• Source: Hyper-V VM Live Migration Failures Post-Security Hardening (Triage Batch)