[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Hyper-V / "Could not initialize machine remoting system" "Could not find a suitable certificate"

Posted on 2014-07-14
23
Medium Priority
?
2,722 Views
Last Modified: 2014-11-12
Hello, looking for some assistance on an error we are receiving on an Windows Server 2008 R2 Hyper-V installation.  This is a full server installation, not a core install.  We have one VM and it will not start, the error is "Could not initialize machine remoting system. Error: Element not found (0x80070490)"  It is then following by the error "Could not find a usable certificate.  Error Element not found (0x80070490)",  See the attached screenshot for the full error.

So far I have done quite a bit of troubleshooting that has included:
1. Restarting the Hyper-V services.
2. Restarting the server.
3. Creating a new VM that will not start.  This tells me it is a Hyper-V issue and not particular to the VM that won't start.
4. Removed all local FQDN certificates from all certificate stores.
5. Imported the local FQDN self generated certificate into the Hyper-V vhdsvc\Personal certificate store.
6. Uninstalled the Hyper-V role, rebooted and re-installed the Hyper-V role and rebooted.

The only information I can find on this error says the certificate is supposed to be generated once the hyper-v services start but that doesn't fix the issue.  

Any help would be appreciated.
HyperVError.png
0
Comment
Question by:htsupport
  • 12
  • 11
23 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40195496
Here is a microsoft KB dealing with this issue:
http://support.microsoft.com/kb/971264


The error is specific to "Element not found"
It seems it is complaining the certificate is not found/present.


Some additional troubleshooting:
http://cloudtidings.com/2010/11/19/how-to-fix-the-unspecified-error-0x80004005-could-not-find-a-usable-certificate-windows-2008r2/
0
 
LVL 1

Author Comment

by:htsupport
ID: 40195686
Unfortunately that hotfix will not apply because this is Server 2008 R2 and not Server 2008.

The additional troubleshooting link references the same Hotfix that will not install.  I tried to use the Powershell script they provided but am unable to get it to work.  I downloaded the makecert.exe utility and the ps1 script into the same directory, set the execution policy and the script runs but I am getting this error:

"PS C:\Users\Administrator\downloads\makecert_5_131_3790_0> .\makecert.ps1
Host name found: xxxxx (I blanked this out)
Creating a new certificate using makecert.exe
Error: Can't create the key of the subject ('932feaab-8098-41da-a536-2f4eb078b4d3')
Failed
Unexpected Exception!

At C:\Users\Administrator\downloads\makecert_5_131_3790_0\makecert.ps1:44 char:14+         throw <<<<  "Certificate Not
Found error. Check if makecert.exe is successful or not"

At line:1 char:15+ .\makecert.ps1 <<<<

System.Management.Automation.RuntimeException: Certificate Not Found error. Check if makecert.exe is successful or not
0
 
LVL 29

Expert Comment

by:becraig
ID: 40195711
Let me take a quick look at the script and get back to you, also are you running this as administrator  ?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 1

Author Comment

by:htsupport
ID: 40195718
Yes, running the script as Administrator.  Also verified that makecert.exe is in the same directory as the script.  Thanks!
0
 
LVL 29

Expert Comment

by:becraig
ID: 40195737
ok so run this first, so we can create the cert:

I will look at pulling the parts of the script to make the other pieces work, we just need to figure out why the cert portion failed.

Run the below from an elevated powershell window
$hostname = “$((gwmi win32_computersystem).dnshostname).$((gwmi win32_computersystem).domain)”
$hostname

Copy and paste the value returned from hostname

and replace hostname in the command below:
makecert -r -pe -n "CN=<hostname>" -sky exchange -ss my  -a sha1 -eku 1.3.6.1.5.5.7.3.1 c:\<hostname>.cer

Let me know once this is one.

We will move on to the next step.
0
 
LVL 1

Author Comment

by:htsupport
ID: 40195776
The mystery deepens.  

When running that command as administrator I get this error:
"PS C:\users\Administrator\Downloads\makecert_5_131_3790_0> .\makecert.exe -r -pe -n "CN=imsserver.aacpc.local" -sky exchange -ss my  -a sha1 -eku 1.3.6.1.5.5.7.3.1 c:\imsserver.aacpc.local.cer
Error: Can't create the key of the subject ('5cfb52ab-5016-4f64-9362-e95642006c70')
Failed"

IIS is also installed for this server and if I go to Server Certificates nothing is listed.  I tried to create a self signed certificate in IIS and receive a "keyset does not exist" error.  I then looked at the existing self signed certificate using the Certificates mmc and the self signed machine certificate is there but doesn't have a "You have a private key that corresponds to this certificate",  I then checked the MachineKeys directory and verified permissions are correct.

I'm now wondering if the reason I'm having the Hyper-V issues is because I don't have a private key corresponding to the self signed certificate.  Not sure if this would be related to permissions or something else.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40195784
Make sure the account you are using is a member of the LOCAL administrators group.

This seems like an inability to create a key linked to the machine account.
0
 
LVL 1

Author Comment

by:htsupport
ID: 40195873
Yes, I agree.  The account I am using is the Domain Admin Administrator account.  I also ran everything using the "Run As Administrator" option.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40195876
Can you try removing the account from the local administrators group then re-adding and rerunning the makecert command ?
0
 
LVL 1

Author Comment

by:htsupport
ID: 40196172
Unfortunately this is a single server solution which runs as a domain controller as well so there is no local administrators group.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40196207
Ok it would still have a local admin group, please follow the steps below:
compmgmt.msc
expand local users and groups
double click administrators in the left pane
Click Add and add the user you are logged in as.

If your user is already there, remove and re-add and try again.
0
 
LVL 1

Author Comment

by:htsupport
ID: 40198017
Since this computer is a domain controller there is no Local Users and Groups.  See the attached screenshot from Computer Management.,

Unfortunately this problem has gotten worse, not better.  The self signed certificate for the server does not have a corresponding private key.  I used certutil to try and restore the private key but it failed.  I was hoping I could generate a new self signed certificate but every tool I try to do that has failed.  This includes, MakeCert.exe, SelfSSL.exe, IIS Self Signed certificate wizard and another tool from MIcrosoft called SSL Diag.  I don't care about the broken certificate I'd just like to be able to generate a new one
Compmgmt.png
0
 
LVL 29

Expert Comment

by:becraig
ID: 40198059
makecert -r -pe -n "CN=computer.domain.local" -sky exchange -ss my  c:\certificate.cer

Try that and see if it works.
0
 
LVL 1

Author Comment

by:htsupport
ID: 40198073
Here's the error I'm getting when running the command.  I tried appending a '2' to the computer name just to see if it was a problem with the name for some reason. I also downloaded the latest version of makecert.exe from the Windows SDK.

D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -r -pe -n "CN=server.company.local" -sky exchange -ss my  c:\certificate.cer
Error: Can't create the key of the subject ('f3dd8937-604e-4c74-bbfa-6340486d32e
4')
Failed

D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -r -pe -n "CN=server2.company.local" -sky exchange -ss my  c:\certificate.cer
Error: Can't create the key of the subject ('e03eb56d-a014-4287-9c57-9cd62e372b7
c')
Failed
0
 
LVL 29

Expert Comment

by:becraig
ID: 40198106
This is the same thing we are experiencing throughout (admin access issues).

The cmd window has to be run as administrator, however you can change the command to create in current user context, or grant your account full permissions on C:\Windows\System32\Microsoft\Crypto\RSA and C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys


Then run the command again.
0
 
LVL 1

Author Comment

by:htsupport
ID: 40198150
Yes, it certainly does seem like permission issues when creating the certificate.  I have run the cmd window in the user context (administrator) and also by right clicking and select "Run as administrator".  I also checked the MachineKeys directory once more and set permissions to "Include inheritable permissions from this object's parent" and also ran a "replace all child object permissions with inheritable permissions from this object".  The security on the MachineKeys directory is: SYSTEM (Full Control), Administrators (Full Control), Users (Read and Execute), Users (Special) and CREATIVE OWNER (Special).  The contents of C:\Windows\System32\Microsoft\Crypto\RSA are empty.  And the contents of C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys has 15 files.

I also created a second account, granted it domain admin access and ran the MakeCert command and received the same error.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40198180
makecert -r -pe -n -sr CurrentUser "CN=computer.domain.local" -sky exchange -ss my  c:\certificate.cer


See if this works.
0
 
LVL 1

Author Comment

by:htsupport
ID: 40198184
Here's what i get when running that command:

D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -r -pe -n -sr CurrentUser "CN=server.domain.local" -sky exchange -ss my  c:\certificate.cer
Error: Too many parameters
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
 -sk  <keyName>      Subject's key container name; To be created if not present
 -pe                 Mark generated private key as exportable
 -ss  <store>        Subject's certificate store name that stores the output
                     certificate
 -sr  <location>     Subject's certificate store location.
                        <CurrentUser|LocalMachine>.  Default to 'CurrentUser'
 -#   <number>       Serial Number from 1 to 2^31-1.  Default to be unique
 -$   <authority>    The signing authority of the certificate
                        <individual|commercial>
 -n   <X509name>     Certificate subject X500 name (eg: CN=Fred Dews)
 -?                  Return a list of basic options
 -!                  Return a list of extended options
0
 
LVL 29

Expert Comment

by:becraig
ID: 40198203
sorry flag in the wrong place:
makecert -r -pe -sr CurrentUser -n "CN=computer.domain.local" -sky exchange -ss my  c:\certificate.cer
0
 
LVL 1

Author Comment

by:htsupport
ID: 40229963
To update this, we have Microsoft PSS working on the certificate issue.  For the last couple days they have been attempting to use the makecert command to generate a new certificate.  They are having issues getting the command to run.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40293203
Did you ever make any progress on this with Microsoft  ?

I would really love to know what they came back with.
0
 
LVL 1

Accepted Solution

by:
htsupport earned 0 total points
ID: 40293454
Unfortunately not.  Microsoft worked on this issue for about 2 weeks and did many of the same things we had already tried and that you had suggested.  This included using makecert to create a certificate on the local machine and then trying to import an existing certificate that they created on a separate machine.  They also tried various other troubleshooting steps and attempted to recreate the issue in their lab environment.  The last thing they wanted us to try was to do a repair of the OS.  We decided to purchase a new server and move over the VM's to it instead of doing the repair do to the risk involved with running a repair on the OS.  This server had a VM running on it but the host OS that had the Hyper-V role installed also has several programs directly installed including a medical EMR application.    Thanks for your help in trying to resolve the issue though.
0
 
LVL 1

Author Closing Comment

by:htsupport
ID: 40300572
Solution was to purchase a new server and migrate the VM to it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this article will go through how to backup a vPostgres DB from a broken vCenter Appliance and restore to a new vCenter Appliance.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question