How to fix the ‘Unspecified error’ (0×80004005) : Could not find a usable certificate. Windows 2008/R2

Hi

Thanks to Dan Boldo (MSFT) and Ben Armstrong (MS Virtualisation PM), here are an explanation and the fix for the error.

Notes:

  • This error only affects VMConnect and does not affect remote desktop connections.
  •  Though this error may occur, the Hyper-V service will continue to operate.   Neither the Hyper-V host nor the running virtual machines will go offline.
  • Microsoft Virtualization Team also confirmed that this issue also affects  Windows 2008 R2 Hyper-V.
  • For Configuring Certificates for Virtual Machine Connection, please read http://technet.microsoft.com/en-us/library/ff935311(WS.10).aspx

The Error

 
Hyper-V Manager

[Main Instruction]
An error occurred while attempting to change the state of virtual machine ‘VMxxx’.

[Content]
‘VMxxx’ failed to initialize.

Could not initialize machine remoting system. Error: ‘Unspecified error’ (0×80004005).

Could not find a usable certificate. Error: ‘Unspecified error’ (0×80004005).

[Expanded Information]
‘VMxxx’ failed to initialize. (Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

‘VMxxx’ could not initialize machine remoting system. Error: ‘Unspecified error’(0×80004005).(Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

‘VMxxx’ could not find a usable certificate. Error: ‘Unspecified error’ (0×80004005). (Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

The Explanation

This error is basicaly cause when the certificate expired, users couldn’t connect or start a VM and then VMMS raise an error. If you try connecting again, this will generate the same message because the certificate was still in an expired state.

The Solutions

Initial one

For Windows 2008, Microsoft introduced a fix (http://support.microsoft.com/kb/KB967902) which auto-generated a new certificate and sent the VMMS to grab it. 

The idea was to have certificates that lasted for one year and then auto-renew.

But, this fix let to another issue : “After a new Hyper-V VMMS certificate is generated, there are mouse and screen resolution issues when managing a virtual machine using the Hyper-V Manager Console”, described  in this KB http://support.microsoft.com/kb/2413735  :

  • When in one year, self-signed certificate expirees, the VMMS grabs a new one but the certificate refresh process is flawed.
  • During the refresh the user loses control of their mouse and their connection resolution drops back to default.

This problem is due the certificate refresh triggers a reset in the VMConnect RDPEncoder. It then initializes a method which puts the mouse in PS2 mode and it change the display settings to RdpEncoderDefaultxxx.

Workaround for this second issue:

  •  
    • Place the virtual machines in a saved state and then resume the virtual machines.
    • Restart the virtual machines.
 Easy when the VM is not in production environment as this that takes care of the refresh of the input and display and the problem goes away, for a year.
 
 
Proactive Workaround
What if instead one year, the new certificate lasted for decades?
 
1. Using the MakeCert utility, the below script will generate a new, self-signed certificate valid until 01/01/2050.
2. You need then point the VMMS to the new certificate :  http://technet.microsoft.com/en-us/library/ff935311(WS.10).aspx
Important Notes : 

 

The Script :

#######################################################################
# Dan Boldo (MSFT)
#

#
#define exception behavior
trap
{
  trap { continue }
  write-host -ForegroundColor Red “Unexpected Exception!`n`r”
  write-host -ForegroundColor White ($_.invocationinfo.positionmessage -replace “`n”)
  0..100 | foreach { write-host -ForegroundColor White   ((gv -ErrorAction SilentlyContinue -scope $_ myinvocation).value.positionmessage -replace “`n”) }
  write-host -ForegroundColor Red “$($_.Exception)”
  exit 1
}
$hostname = “$((gwmi win32_computersystem).dnshostname).$((gwmi win32_computersystem).domain)”
write-host “Host name found:” $hostname
function CreateCert()
{
    write-host “Creating a new certificate using makecert.exe”
    .\makecert.exe -r -pe -n “CN=$hostname” -b 01/01/2005 -e 01/01/2050 -sr LocalMachine -ss My -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1
}
function FindCert()
{
    $t = new-object System.DateTime(2049,1,1,1,10,10)
    $certs = @(dir cert:\LocalMachine\My -recurse | ?{$_.subject -eq “CN=$hostname”} | ? { $_.NotAfter.CompareTo($t) -eq 1 })
    if($certs[0] -eq $null)
    {
        return $null;
    }
    if($certs.Length -ne 1)
    {
        write-warning “More than one certificate is found in store. Please don’t run makecert.exe multiple times.”
    }
    $certs[0];
}

#Find the certificate of interest
$cert = FindCert
if($cert -eq $null)
{
    CreateCert
    $cert = FindCert;
    if($cert -eq $null)
    {
        throw “Certificate Not Found error. Check if makecert.exe is successful or not”
    }
}
write-host “Found certificate of interest:”
write-host $cert | select NotBefore, NotAfter

#tweak system settings to let VMMS use the certificate of interest.
$thumbprint = $cert.Thumbprint 
$location = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$folderlocation = gc env:ALLUSERSPROFILE
$folderlocation = $folderlocation + “\Microsoft\Crypto\RSA\MachineKeys\”
$filelocation = $folderlocation + $location
icacls $filelocation /grant “*S-1-5-83-0:(R)”
$thumbprint = $cert.Thumbprint
reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization” /v “AuthCertificateHash” /f /t REG_BINARY /d $thumbprint

#fix loopback case.
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)  
$store.open(“MaxAllowed”)   
$store.add($cert)   
$store.close()   

#restart vmms
net stop vmms
net start vmms

# Wait for job completion
function WaitForResult($ret)
{
  if($ret.ReturnValue -eq 0) { return; }
  if($ret.ReturnValue -ne 4096)
  {
    Throw “Error was returned from WMI call: $($ret.ReturnValue)”;
  }
  $timeout = 300; # 5 minute timeout
  while($true)
  {
    $job = [wmi]$ret.job
    if($job.JobState -eq 7) { return; }
    if($job.JobState -gt 7) { throw “Error while processing WMI job! $($job | fl * | out-string)” }

    if($timeout -le 0) { throw “Timeout while processing WMI job! $($job | fl * | out-string)” }

    $timeout -= 5;
    Sleep 5
  }
}

# get all VMs in Running state.
$vms = gwmi -n root\virtualization msvm_computersystem
$vms = $vms | where {$_.Name -ne $env:computername}
$vms = $vms | where {$_.EnabledState -eq 2}

#Save/Restore for all running VMs
foreach($vm in $vms)
{
    if($vm -ne $null)
    {
     Write-Host “Doing Save/Restore for VM:” $vm.ElementName
     WaitForResult  $vm.RequestStateChange(32769)
     WaitForResult  $vm.RequestStateChange(2)
    }
}

####################################################
# end of the script
##
 

About Alessandro Cardoso
Virtualization and Management passionate. Infrastructure products and solutions knowledge with management and hands on experience; Project Leader, with deep knowledge and expertise in a variety of Microsoft Infrastructure technologies in areas such as Virtualization and Management with product skill sets ranging from, Hyper-V, System Center, Windows Server, SQL Server, Active Directory, Exchange, SharePoint, IIS and Forefront; Plus knowledge in Quest Migration Manager, Linux Infrastructure, Networking, Security Solutions (such as VPN, Firewall) and VMware in complex and large scenarios; Strong knowledge of industry-related datacenter processes, strategies, industry regulations and requirements. Selected as Microsoft Brazil IT Hero, in 2007 and Microsoft IT Heroes Happen in Los Angeles, in 2008. selected as Bussiness Case, further virtualization project for a Governmental Institution. I am also a well known speaker in IT events (e.g. Microsoft TechEd 2007, 2008, 2010 and 2011). MVP since 2009, in Virtual Machine. I have experience developing, planning, organizing, and leading complex initiatives as well business case development skills, acquired in 23 years of experience in IT, working in segments spanning from Government, Health, Education and IT. Well-known speaker in IT events like TechEd, Sage-AU, CNASI. Proven Multitasking skills, presentation skills and analytical skills and problem determination ability; Belief in providing the highest quality of service; Good listener and communicator; Know how to prioritize the work and perform under pressure. Continuously seeking innovative ways to improve productivity and a resourceful problem-solver with focus on customers. Microsoft Most Valuable Professional : Virtual Machine Certifications : Australia Computer Society Certified Professional, MCITP: Enterprise, MCSE: Security, MCSA, MCT, MCTS:SQL, MCTS:SharePoint, MCTS:Vista, Linux Conectiva Professional, Modulo Certified Security Officer Blogs : http://virtualizationandmanagement.wordpress.com http://virtualizacaoegerenciamento.wordpress.com

7 Responses to How to fix the ‘Unspecified error’ (0×80004005) : Could not find a usable certificate. Windows 2008/R2

  1. Fashan says:

    Hi,
    We are on Windows 2008 R2 with Hyper-V enabled. Currently I’m running one virtual machine in this host and I connect to the host server from RDP through my machine. Few days back I have noticed a warning in the console of the Host machine stating that “The certificate used for server authentication will expire within 30 days. Remote access to virtual machines will not be possible after the certificate expires” (Event ID 12510). I would appreciate your help on this.
    Thanks,

    • Hi
      Have you tried my solution?

      • Fashan says:

        The microsoft hotfix is not for Windows 2008 R2 or should I try the script that you had mentioned?

      • Hi
        Yes, please you should try the steps I mentioned.

  2. Hi

    Have you tried these steps ? I ‘ve got into these steps after talking with MS Virtualisation guys

  3. Hi

    I am getting a BSOD shown below while attempting to start a vhd on hyper-v. it was working perfectly fine a couple of days ago but now it has started showing this same BSOD everytime i try to start it. the vhd is server2003r2 and host machine is server2008r2. There are 3 other VMs running fine on the same hyper-v manager except this one.

    “A problem has been detected and windows has been shut down to prevent damage to your computer.

    If this is the first time you’ve seen this Stop error screen, restart your computer. If this screen appears again, follow these steps: Check for viruses on your computer. Remove any newly installed hard drive or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

    Technical information:
    STOP: 0x0000007B (0xF789EA94,0xC0000034,0×00000000,0×00000000)”

    Its vhd is already set with IDE controller. There are 3 network adaptors connected to all VMs.I am open to try anything to solve this issue. Therefore, please help me with any idea you may have to make this VM running.

    Regards

    manibest

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 823 other followers

%d bloggers like this: