Part 2 - Hyper-V Remote Management: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer ‘COMPUTERNAME’

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote 

Quick links to the all parts in the series: 1, 2, 3, 4 and 5 

The second part of the extra-long blog post contains the steps necessary on the client machine. Part one concentrated on the server side configuration.

Step 5 (On the client)

Step 5 mirrors step 2 in the first part of this blog post, but on the client. Note also (again for convenience more than anything else), my Vista SP1 machine is actually itself a virtual machine running on the same physical machine as the server. You’ve got to love it when you can have a somewhat recursive technology ;)
 
Enable the firewall rules on the client for WMI (Windows Management Instrumentation). From an elevated command prompt, enter the following:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Make sure the command it successful and responds: Updated 8 rules(s). Ok.

wg27

If you now open “Windows Firewall with Advanced Security” from Control Panel/Administrative Tools on the start menu, you will notice eight rules, six inbound and two outbound have been enabled. (It helps to sort by Group)

wg28

wg29 

Step 6 (On the client)

This step creates a firewall exception for the Microsoft Management Console application (mmc.exe). From an elevated command prompt, enter the following:

Netsh firewall add allowedprogram program=%windir%\system32\mmc.exe name="Microsoft Management Console"

Make sure the command is successful and responds “Ok.”

wg30

You can verify that you succeeded in the above step by looking in the “other” Windows Firewall application. (No, I have no idea why there are two either….). Open "Network and Sharing Center" on the control panel, and click Windows firewall in the bottom left corner, then click "Allow a program through Windows Firewall" where you’ll see a new entry with the name “Microsoft Management Console”

wg31

wg32

wg33

Step 7 (On the client)

IMPORTANT!!!! You need to do this step in the following scenarios:

  • Client and server are both in a workgroup
  • Client is a workgroup and server is in a domain
  • Client is in a domain and server is in a workgroup
  • Both client and server are in domains, but there is NO TRUST between them.

You DO NOT NEED TO DO THIS STEP if the client and server are in either the same or trusted domains. Go to step 8.

WMI makes calls back from the server to the client. This is entirely expected (and is not Hyper-V specific). When a server is in a workgroup, the DCOM connection from the server back to the client is "anonymous". This step therefore grants the appropriate permission.

On the start menu box (yes, well spotted, I need to apply updates), type dcomcnfg and hit enter to open Component Services. If UAC is enabled, click allow when prompted or enter appropriate administrative credentials.

wg34 

Expand the tree down through Component Services\Computers\My Computer, select My Computer, right-click, choose properties and select the COM Security tab.

wg36

Click Edit Limits in the Access Permissions area (do not confuse with Edit Limits in the Launch and Activation Permissions area). Select “ANONYMOUS LOGON” from the list of users, and make sure Remote Access/Allow is checked in the permissions area. Your screen should look like below.

wg37
Click OK and OK again, and close Component Services.

Step 8 (Away from the keyboard)

Take a deep breath and pat yourself on the back. Now do that again. A third time if you like. Then double-check to make sure you followed the above steps and those in part one  to the letter.  You did remember the step about restarting the server, didn't you?

Step 9 (On the client)

Logon as the account you have granted permissions to (“john” in my walkthrough) on the client.

Start Hyper-V Manager from Administrative Tools on the Control Panel. Enter appropriate administrative credentials if UAC is enabled and the account is not an administrator on the client.

Click Connect to Server and enter the name of the remote machine.

Watch in awe as you get a screen like below. You can also see, it took me 2 hours, 24 minutes and 19 seconds to do this walk-through documenting it step-by-step. It should take you much less time!

wg39

Cheers,
John.

Update 14th Nov 2008. I've just released a script which does all this configuration in one or two command lines: HVRemote