Home > Microsoft, Virtualization > How to fix the ‘Unspecified error’ (0x80004005) : Could not find a usable certificate. Windows 2008/R2

How to fix the ‘Unspecified error’ (0x80004005) : Could not find a usable certificate. Windows 2008/R2

Hi

Thanks to Dan Boldo (MSFT) and Ben Armstrong (MS Virtualisation PM), here are an explanation and the fix for the error.

Notes:

  • This error only affects VMConnect and does not affect remote desktop connections.
  •  Though this error may occur, the Hyper-V service will continue to operate.   Neither the Hyper-V host nor the running virtual machines will go offline.
  • Microsoft Virtualization Team also confirmed that this issue also affects  Windows 2008 R2 Hyper-V.
  • For Configuring Certificates for Virtual Machine Connection, please read http://technet.microsoft.com/en-us/library/ff935311(WS.10).aspx

The Error

 
Hyper-V Manager

[Main Instruction]
An error occurred while attempting to change the state of virtual machine ‘VMxxx’.

[Content]
‘VMxxx’ failed to initialize.

Could not initialize machine remoting system. Error: ‘Unspecified error’ (0x80004005).

Could not find a usable certificate. Error: ‘Unspecified error’ (0x80004005).

[Expanded Information]
‘VMxxx’ failed to initialize. (Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

‘VMxxx’ could not initialize machine remoting system. Error: ‘Unspecified error'(0x80004005).(Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

‘VMxxx’ could not find a usable certificate. Error: ‘Unspecified error’ (0x80004005). (Virtual machine XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX )

The Explanation

This error is basicaly cause when the certificate expired, users couldn’t connect or start a VM and then VMMS raise an error. If you try connecting again, this will generate the same message because the certificate was still in an expired state.

The Solutions

Initial one

For Windows 2008, Microsoft introduced a fix (http://support.microsoft.com/kb/KB967902) which auto-generated a new certificate and sent the VMMS to grab it. 

The idea was to have certificates that lasted for one year and then auto-renew.

But, this fix let to another issue : “After a new Hyper-V VMMS certificate is generated, there are mouse and screen resolution issues when managing a virtual machine using the Hyper-V Manager Console”, described  in this KB http://support.microsoft.com/kb/2413735  :

  • When in one year, self-signed certificate expirees, the VMMS grabs a new one but the certificate refresh process is flawed.
  • During the refresh the user loses control of their mouse and their connection resolution drops back to default.

This problem is due the certificate refresh triggers a reset in the VMConnect RDPEncoder. It then initializes a method which puts the mouse in PS2 mode and it change the display settings to RdpEncoderDefaultxxx.

Workaround for this second issue:

  •  
    • Place the virtual machines in a saved state and then resume the virtual machines.
    • Restart the virtual machines.
 Easy when the VM is not in production environment as this that takes care of the refresh of the input and display and the problem goes away, for a year.
 
 
Proactive Workaround
What if instead one year, the new certificate lasted for decades?
 
1. Using the MakeCert utility, the below script will generate a new, self-signed certificate valid until 01/01/2050.
2. You need then point the VMMS to the new certificate :  http://technet.microsoft.com/en-us/library/ff935311(WS.10).aspx
Important Notes : 

 

The Script :

#######################################################################
# Dan Boldo (MSFT)
#

#
#define exception behavior
trap
{
  trap { continue }
  write-host -ForegroundColor Red “Unexpected Exception!`n`r”
  write-host -ForegroundColor White ($_.invocationinfo.positionmessage -replace “`n”)
  0..100 | foreach { write-host -ForegroundColor White   ((gv -ErrorAction SilentlyContinue -scope $_ myinvocation).value.positionmessage -replace “`n”) }
  write-host -ForegroundColor Red “$($_.Exception)”
  exit 1
}
$hostname = “$((gwmi win32_computersystem).dnshostname).$((gwmi win32_computersystem).domain)”
write-host “Host name found:” $hostname
function CreateCert()
{
    write-host “Creating a new certificate using makecert.exe”
    .\makecert.exe -r -pe -n “CN=$hostname” -b 01/01/2005 -e 01/01/2050 -sr LocalMachine -ss My -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1
}
function FindCert()
{
    $t = new-object System.DateTime(2049,1,1,1,10,10)
    $certs = @(dir cert:\LocalMachine\My -recurse | ?{$_.subject -eq “CN=$hostname”} | ? { $_.NotAfter.CompareTo($t) -eq 1 })
    if($certs[0] -eq $null)
    {
        return $null;
    }
    if($certs.Length -ne 1)
    {
        write-warning “More than one certificate is found in store. Please don’t run makecert.exe multiple times.”
    }
    $certs[0];
}

#Find the certificate of interest
$cert = FindCert
if($cert -eq $null)
{
    CreateCert
    $cert = FindCert;
    if($cert -eq $null)
    {
        throw “Certificate Not Found error. Check if makecert.exe is successful or not”
    }
}
write-host “Found certificate of interest:”
write-host $cert | select NotBefore, NotAfter

#tweak system settings to let VMMS use the certificate of interest.
$thumbprint = $cert.Thumbprint 
$location = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$folderlocation = gc env:ALLUSERSPROFILE
$folderlocation = $folderlocation + “\Microsoft\Crypto\RSA\MachineKeys\”
$filelocation = $folderlocation + $location
icacls $filelocation /grant “*S-1-5-83-0:(R)”
$thumbprint = $cert.Thumbprint
reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization” /v “AuthCertificateHash” /f /t REG_BINARY /d $thumbprint

#fix loopback case.
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(“Root”,”LocalMachine”)  
$store.open(“MaxAllowed”)   
$store.add($cert)   
$store.close()   

#restart vmms
net stop vmms
net start vmms

# Wait for job completion
function WaitForResult($ret)
{
  if($ret.ReturnValue -eq 0) { return; }
  if($ret.ReturnValue -ne 4096)
  {
    Throw “Error was returned from WMI call: $($ret.ReturnValue)”;
  }
  $timeout = 300; # 5 minute timeout
  while($true)
  {
    $job = [wmi]$ret.job
    if($job.JobState -eq 7) { return; }
    if($job.JobState -gt 7) { throw “Error while processing WMI job! $($job | fl * | out-string)” }

    if($timeout -le 0) { throw “Timeout while processing WMI job! $($job | fl * | out-string)” }

    $timeout -= 5;
    Sleep 5
  }
}

# get all VMs in Running state.
$vms = gwmi -n root\virtualization msvm_computersystem
$vms = $vms | where {$_.Name -ne $env:computername}
$vms = $vms | where {$_.EnabledState -eq 2}

#Save/Restore for all running VMs
foreach($vm in $vms)
{
    if($vm -ne $null)
    {
     Write-Host “Doing Save/Restore for VM:” $vm.ElementName
     WaitForResult  $vm.RequestStateChange(32769)
     WaitForResult  $vm.RequestStateChange(2)
    }
}

####################################################
# end of the script
##
 
  1. Fashan
    December 21, 2010 at 16:24

    Hi,
    We are on Windows 2008 R2 with Hyper-V enabled. Currently I’m running one virtual machine in this host and I connect to the host server from RDP through my machine. Few days back I have noticed a warning in the console of the Host machine stating that “The certificate used for server authentication will expire within 30 days. Remote access to virtual machines will not be possible after the certificate expires” (Event ID 12510). I would appreciate your help on this.
    Thanks,

    • December 21, 2010 at 20:41

      Hi
      Have you tried my solution?

      • Fashan
        December 21, 2010 at 22:29

        The microsoft hotfix is not for Windows 2008 R2 or should I try the script that you had mentioned?

      • December 23, 2010 at 08:24

        Hi
        Yes, please you should try the steps I mentioned.

  2. February 4, 2011 at 12:07

    Hi

    Have you tried these steps ? I ‘ve got into these steps after talking with MS Virtualisation guys

  3. August 26, 2011 at 21:16

    Hi

    I am getting a BSOD shown below while attempting to start a vhd on hyper-v. it was working perfectly fine a couple of days ago but now it has started showing this same BSOD everytime i try to start it. the vhd is server2003r2 and host machine is server2008r2. There are 3 other VMs running fine on the same hyper-v manager except this one.

    “A problem has been detected and windows has been shut down to prevent damage to your computer.

    If this is the first time you’ve seen this Stop error screen, restart your computer. If this screen appears again, follow these steps: Check for viruses on your computer. Remove any newly installed hard drive or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

    Technical information:
    STOP: 0x0000007B (0xF789EA94,0xC0000034,0x00000000,0x00000000)”

    Its vhd is already set with IDE controller. There are 3 network adaptors connected to all VMs.I am open to try anything to solve this issue. Therefore, please help me with any idea you may have to make this VM running.

    Regards

    manibest

  1. November 9, 2014 at 01:38
  2. November 14, 2014 at 16:46
  3. November 15, 2014 at 11:21
  4. November 22, 2014 at 07:00

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,078 other followers

%d bloggers like this: