"Access Denied" when clicking on Updates in the portal WAC

Question

"Access Denied" when clicking on Updates in the portal WAC

GabeCz 26

I cannot run WAC/updates on the portal i get
"Couldn't query readiness for Cluster-Aware Updates

Error: RemoteException: Could not open cluster "MYCLUSTER.domain.local": (Win32Exception) Access is denied"

Copilot keeps on saying it is becuase multi-hop is disabled which indeed is but after setting everything it suggests i still get the same error when running

Invoke-Command -ComputerName NODENAME -Credential domain\lcmuserdev -Authentication Credssp -ScriptBlock { hostname }

i get

[NODENAME] Connecting to remote server NODENAME failed with the following error message : The WinRM client

cannot process the request. A computer policy does not allow the delegation of the user credentials to the target

computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates ->

System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with

an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can

be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic.

on all nodes i did set the required settings in the gpo. gpresult -h result.htm proves it is.

i am running out of ideas..

i do not have a group policy that could override this.

2 answers

Your answer

Answer 1

The "Access Denied" error you are encountering when trying to run Cluster-Aware Updates (CAU) in Windows Admin Center (WAC) is likely related to the configuration of credentials delegation and the settings in Group Policy. Here are some steps to troubleshoot and resolve the issue:

Check Credential Delegation Settings: Ensure that the Group Policy settings for credential delegation are correctly configured. You need to enable the policy at Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Make sure that the SPN is set correctly for the target computer, such as WSMAN/myserver.domain.com or WSMAN/*.domain.com.
Verify Group Policy Application: Use gpresult /h result.htm to generate a report and confirm that the policies are being applied as expected. Look for any conflicting policies that might override your settings.
Enable CredSSP: Since you are using CredSSP for authentication, ensure that it is enabled on both the client and the server. You can run the following commands:
```
   Enable-WSManCredSSP -Role Client -DelegateComputer "*"
   Enable-WSManCredSSP -Role Server
```
Test Remote Connectivity: After making changes, test the remote connectivity again using the Invoke-Command cmdlet. If you still encounter issues, check the WinRM configuration and ensure that it is set up correctly on both the client and the target nodes.
Firewall and Network Configuration: Ensure that there are no firewall rules or network configurations that might be blocking the WinRM traffic.

If you have followed these steps and the issue persists, consider reviewing the logs for any additional error messages that might provide more context about the failure.

References:

Answer 2

GabeCz 26

registry keys set to wsman/*.mydomain.local on both AllowFreshCredentials and AllowFreshCredentialsWhenNTLMOnly, also enabled and set these in gpedit.msc

on all 4 nodes.

still getting the same error.

connecting to the WAC -> update service when clicking on the individual nodes instead of the cluster works just fine.

that tells me that indeed the disabled multi-hop is causing the issue.

which i set up as requested, but still not working.

Ankit Yadav 6,760 Microsoft External Staff Moderator

Hello @GabeCz ,

The fact that individual nodes work but the cluster doesn't points it more towards a cluster SPN delegation problem, not just CredSSP.

The cluster name (MyCluster.domain.local) has different SPNs than individual nodes, and Kerberos Constrained Delegation is required.

Active Directory SPN Configuration: Run this on a domain controller or with Domain Admin rights:

# Check what SPNs are registered for the cluster
Get-ADComputer -Identity "MYCLUSTER$" -Properties ServicePrincipalName | Select-Object -ExpandProperty ServicePrincipalName
# Compare with a working node
Get-ADComputer -Identity "NODENAME$" -Properties ServicePrincipalName | Select-Object -ExpandProperty ServicePrincipalName

You need these SPNs for the cluster:

MSClusterVirtualServer/MYCLUSTER
MSClusterVirtualServer/MYCLUSTER.domain.local
WSMAN/MYCLUSTER
WSMAN/MYCLUSTER.domain.local
HOST/MYCLUSTER
HOST/MYCLUSTER.domain.local

Kerberos Constrained Delegation Setup This is mandatory for cluster operations through WAC:

# On Domain Controller or with Domain Admin
$WACServer = "WAC-SERVER-NAME$"  # Computer account of WAC server
$ClusterName = "MYCLUSTER$"      # Cluster computer account
# Enable constrained delegation for WAC server to the cluster
Set-ADComputer -Identity $WACServer -PrincipalsAllowedToDelegateToAccount $ClusterName
# Or manually in ADUC:
# 1. Open Active Directory Users and Computers
# 2. Find WAC server computer account
# 3. Properties → Delegation → "Trust this computer for delegation to specified services only"
# 4. Add: cifs/MYCLUSTER.domain.local, WSMAN/MYCLUSTER.domain.local, MSClusterVirtualServer/MYCLUSTER.domain.localt

WAC-Specific Cluster Permissions WAC needs explicit cluster admin rights:

# On any cluster node as Cluster Admin
$WACAccount = "domain\WAC-Service-Account"  # Or WAC server computer account
$ClusterName = "MYCLUSTER"
# Grant cluster admin rights
Add-ClusterNode -Name $env:COMPUTERNAME -Cluster $ClusterName
Grant-ClusterAccess -User $WACAccount -Full
# Also add to Local Administrators on each node
Invoke-Command -ComputerName (Get-ClusterNode -Cluster $ClusterName).Name -ScriptBlock {
   net localgroup administrators "domain\WAC-Service-Account" /add
}

Test with Kerberos Instead of CredSSP Since individual nodes work, test the cluster with Kerberos:

# Test Kerberos to cluster
$session = New-PSSession -ComputerName "MYCLUSTER" -Credential domain\lcmuserdev -Authentication Kerberos
Invoke-Command -Session $session -ScriptBlock { Get-Cluster }
Remove-PSSession $session

WAC Server Configuration Fix WAC has its own delegation settings:

# On WAC Server
# Clear WAC cache (critical!)
Remove-Item -Path "$env:ProgramData\Server Management Experience\cache\*" -Recurse -Force
# Reset WAC delegation settings
$regPath = "HKLM:\SOFTWARE\Microsoft\ServerManagementGateway"
Set-ItemProperty -Path $regPath -Name "CredentialDelegation" -Value 1
Set-ItemProperty -Path $regPath -Name "DelegatedComputer" -Value "*.domain.local"
# Restart WAC services
Restart-Service ServerManagementGateway -Force
Restart-Service ServerManagement -Force

DNS and NetBios issue:
Check if cluster name resolves correctly:

# Test all name variations
Test-WSMan -ComputerName "MYCLUSTER"
Test-WSMan -ComputerName "MYCLUSTER.domain.local"
Test-WSMan -ComputerName "MYCLUSTER.domain.local" -Authentication Kerberos
# Check NetBIOS name
nbtstat -a MYCLUSTER

Work-arounds:

Option A: Direct CAU from a Cluster Node

# Log directly to a cluster node and run CAU
Invoke-CauRun -ClusterName "MYCLUSTER" -Force -CauPluginName "Microsoft.HotfixPlugin","Microsoft.WindowsUpdatePlugin" -MaxRetriesPerNode 3

Option B: Configure WAC to Use Node Credentials In WAC settings file:

// Edit: C:\Program Files\Windows Admin Center\Settings\cluster-settings.json
{
 "clusterConnectionMode": "direct",
 "useNodeCredentialsForCluster": true
}

Option C: Use Scheduled Task Workaround

# Create scheduled task on a cluster node that runs updates
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-Command `"Invoke-CauRun -ClusterName MYCLUSTER -Force`""
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5)
Register-ScheduledTask -TaskName "ClusterUpdate" -Action $action -Trigger $trigger -User "SYSTEM"

GabeCz 26 Reputation points

2025-12-09T18:02:26.2633333+00:00
hi and thank you for your detailed answer

i will reply in order:

first running

Get-ADComputer -Identity "MYCLUSTER$" -Properties ServicePrincipalName | Select-Object -ExpandProperty ServicePrincipalName

~~i see that my cluster does not have the required WSMAN lines. which looks like is one of the root causes here.~~

~~who to make the WSMAN lines 'appear' for the cluster?~~

i managed to add WSMAN\MYCLUSTER and WSMAN\MYCLUSTER.domain.local by running

setspn -S WSMAN/MYCLUSTER college\MYCLUSTER$ setspn -S WSMAN/MYCLUSTER.college.local college\MYCLUSTER$

but the issue persists.

i modified the registry on all 4 nodes replacing WSMAN* to WSMAN*.college.local in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly

rebooted them, but same issue.

about the second script:

$WACServer = "WAC-SERVER-NAME$" # Computer account of WAC server

what is my wac-server-name, as i'm having trouble connecting to wac/updates via the portal, i'm not running a local wac server on my ad. would this be then the cluster, so use MYCLUSTER$ for both $wacserver, and $clustername?

running #3, says that my lcmuserdev user is alrady a member of the local admin group.

i ran #4, it did result which was the question i guess the command could've been hostname instead of get-cluster too am i right? so it did not error out but it sent me the result of get-cluster which is quite long to paste here. (let me know if you need it though)

#5 once again i do not have a wac server per-say. please clarify, thanks

running the 3 wsman commands on my admin computer, i get reply, no error. let me know if you want the actual output, but i suppose it's about getting an error or not.

now running nbtstat -a MYCLUSTER goes through all my NICs on my admin computer and says host not found. same happens on another admin compupter, and running it from a node.

MYCLUSTER pings from everywhere from within the domain/network though.

about the last commands 'workarounds' i don't feel like i want a workaround, i would very much like to have my portal / cluster / wac / updates section to be working instead.

thanks so much for all the input, but please clarify what to use as a "wac-computer-account' as i'm trying to fix the access denied issue while trying to use the portal's wac (after clicking on the node) and its updates menu/function.

thanks

gabe

just an addition, this is a clean install of a test azure local cluster, i have modified exactly nothing. deployed as directed and there is this problem with it, did never ever anyone reported this as a problem? i don't feel i'm doing anything utterly wrong when deploying, it is a really straight forward and easy deployment (takes forever but that's the worst/hardest part of it) does microsoft not know about this issue?

i now used 2511 before i was testing 2510 to test how an actual cumulative update goes.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Share via

"Access Denied" when clicking on Updates in the portal WAC

2 answers

Your answer