After deploying System Center Virtual Machine Manager 2008 R2 (SCVMM) and configuring the Self-Service Portal, users report the following error:
The Virtual Machine Manager server could not validate user DOMAIN\username. Contact your Virtual Machine Manager administrator to verify that there is a two-way trust relationship between the user domain and the domain of the Virtual Machine Manager server.
Upon checking the security logs on your domain controllers, you notice that the account that is currently running the Virtual Machine Manager service is generating audit failures:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/04/2010 4:41:12 PM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.local
Description:
A Kerberos service ticket was requested.
Account Information:
Account Domain: DOMAIN.LOCAL
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name: krbtgt/DOMAIN.LOCAL
Service ID: NULL SID
Network Information:
Client Address: ::ffff:192.168.1.50
Client Port: 52860
Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
In order to fix this you need to add the VMM_SERVICE_ACC to the Pre-Windows 2000 Compatible Access Builtin group in Active Directory.
