htsupport
asked on
Hyper-V / "Could not initialize machine remoting system" "Could not find a suitable certificate"
Hello, looking for some assistance on an error we are receiving on an Windows Server 2008 R2 Hyper-V installation. This is a full server installation, not a core install. We have one VM and it will not start, the error is "Could not initialize machine remoting system. Error: Element not found (0x80070490)" It is then following by the error "Could not find a usable certificate. Error Element not found (0x80070490)", See the attached screenshot for the full error.
So far I have done quite a bit of troubleshooting that has included:
1. Restarting the Hyper-V services.
2. Restarting the server.
3. Creating a new VM that will not start. This tells me it is a Hyper-V issue and not particular to the VM that won't start.
4. Removed all local FQDN certificates from all certificate stores.
5. Imported the local FQDN self generated certificate into the Hyper-V vhdsvc\Personal certificate store.
6. Uninstalled the Hyper-V role, rebooted and re-installed the Hyper-V role and rebooted.
The only information I can find on this error says the certificate is supposed to be generated once the hyper-v services start but that doesn't fix the issue.
Any help would be appreciated.
HyperVError.png
So far I have done quite a bit of troubleshooting that has included:
1. Restarting the Hyper-V services.
2. Restarting the server.
3. Creating a new VM that will not start. This tells me it is a Hyper-V issue and not particular to the VM that won't start.
4. Removed all local FQDN certificates from all certificate stores.
5. Imported the local FQDN self generated certificate into the Hyper-V vhdsvc\Personal certificate store.
6. Uninstalled the Hyper-V role, rebooted and re-installed the Hyper-V role and rebooted.
The only information I can find on this error says the certificate is supposed to be generated once the hyper-v services start but that doesn't fix the issue.
Any help would be appreciated.
HyperVError.png
ASKER
Unfortunately that hotfix will not apply because this is Server 2008 R2 and not Server 2008.
The additional troubleshooting link references the same Hotfix that will not install. I tried to use the Powershell script they provided but am unable to get it to work. I downloaded the makecert.exe utility and the ps1 script into the same directory, set the execution policy and the script runs but I am getting this error:
"PS C:\Users\Administrator\dow
Host name found: xxxxx (I blanked this out)
Creating a new certificate using makecert.exe
Error: Can't create the key of the subject ('932feaab-8098-41da-a536-
Failed
Unexpected Exception!
At C:\Users\Administrator\dow
Found error. Check if makecert.exe is successful or not"
At line:1 char:15+ .\makecert.ps1 <<<<
System.Management.Automati
The additional troubleshooting link references the same Hotfix that will not install. I tried to use the Powershell script they provided but am unable to get it to work. I downloaded the makecert.exe utility and the ps1 script into the same directory, set the execution policy and the script runs but I am getting this error:
"PS C:\Users\Administrator\dow
Host name found: xxxxx (I blanked this out)
Creating a new certificate using makecert.exe
Error: Can't create the key of the subject ('932feaab-8098-41da-a536-
Failed
Unexpected Exception!
At C:\Users\Administrator\dow
Found error. Check if makecert.exe is successful or not"
At line:1 char:15+ .\makecert.ps1 <<<<
System.Management.Automati
Let me take a quick look at the script and get back to you, also are you running this as administrator ?
ASKER
Yes, running the script as Administrator. Also verified that makecert.exe is in the same directory as the script. Thanks!
ok so run this first, so we can create the cert:
I will look at pulling the parts of the script to make the other pieces work, we just need to figure out why the cert portion failed.
Run the below from an elevated powershell window
$hostname = “$((gwmi win32_computersystem).dnsh
$hostname
Copy and paste the value returned from hostname
and replace hostname in the command below:
makecert -r -pe -n "CN=<hostname>" -sky exchange -ss my -a sha1 -eku 1.3.6.1.5.5.7.3.1 c:\<hostname>.cer
Let me know once this is one.
We will move on to the next step.
I will look at pulling the parts of the script to make the other pieces work, we just need to figure out why the cert portion failed.
Run the below from an elevated powershell window
$hostname = “$((gwmi win32_computersystem).dnsh
$hostname
Copy and paste the value returned from hostname
and replace hostname in the command below:
makecert -r -pe -n "CN=<hostname>" -sky exchange -ss my -a sha1 -eku 1.3.6.1.5.5.7.3.1 c:\<hostname>.cer
Let me know once this is one.
We will move on to the next step.
ASKER
The mystery deepens.
When running that command as administrator I get this error:
"PS C:\users\Administrator\Dow
Error: Can't create the key of the subject ('5cfb52ab-5016-4f64-9362-
Failed"
IIS is also installed for this server and if I go to Server Certificates nothing is listed. I tried to create a self signed certificate in IIS and receive a "keyset does not exist" error. I then looked at the existing self signed certificate using the Certificates mmc and the self signed machine certificate is there but doesn't have a "You have a private key that corresponds to this certificate", I then checked the MachineKeys directory and verified permissions are correct.
I'm now wondering if the reason I'm having the Hyper-V issues is because I don't have a private key corresponding to the self signed certificate. Not sure if this would be related to permissions or something else.
When running that command as administrator I get this error:
"PS C:\users\Administrator\Dow
Error: Can't create the key of the subject ('5cfb52ab-5016-4f64-9362-
Failed"
IIS is also installed for this server and if I go to Server Certificates nothing is listed. I tried to create a self signed certificate in IIS and receive a "keyset does not exist" error. I then looked at the existing self signed certificate using the Certificates mmc and the self signed machine certificate is there but doesn't have a "You have a private key that corresponds to this certificate", I then checked the MachineKeys directory and verified permissions are correct.
I'm now wondering if the reason I'm having the Hyper-V issues is because I don't have a private key corresponding to the self signed certificate. Not sure if this would be related to permissions or something else.
Make sure the account you are using is a member of the LOCAL administrators group.
This seems like an inability to create a key linked to the machine account.
This seems like an inability to create a key linked to the machine account.
ASKER
Yes, I agree. The account I am using is the Domain Admin Administrator account. I also ran everything using the "Run As Administrator" option.
Can you try removing the account from the local administrators group then re-adding and rerunning the makecert command ?
ASKER
Unfortunately this is a single server solution which runs as a domain controller as well so there is no local administrators group.
Ok it would still have a local admin group, please follow the steps below:
compmgmt.msc
expand local users and groups
double click administrators in the left pane
Click Add and add the user you are logged in as.
If your user is already there, remove and re-add and try again.
compmgmt.msc
expand local users and groups
double click administrators in the left pane
Click Add and add the user you are logged in as.
If your user is already there, remove and re-add and try again.
ASKER
Since this computer is a domain controller there is no Local Users and Groups. See the attached screenshot from Computer Management.,
Unfortunately this problem has gotten worse, not better. The self signed certificate for the server does not have a corresponding private key. I used certutil to try and restore the private key but it failed. I was hoping I could generate a new self signed certificate but every tool I try to do that has failed. This includes, MakeCert.exe, SelfSSL.exe, IIS Self Signed certificate wizard and another tool from MIcrosoft called SSL Diag. I don't care about the broken certificate I'd just like to be able to generate a new one
Compmgmt.png
Unfortunately this problem has gotten worse, not better. The self signed certificate for the server does not have a corresponding private key. I used certutil to try and restore the private key but it failed. I was hoping I could generate a new self signed certificate but every tool I try to do that has failed. This includes, MakeCert.exe, SelfSSL.exe, IIS Self Signed certificate wizard and another tool from MIcrosoft called SSL Diag. I don't care about the broken certificate I'd just like to be able to generate a new one
Compmgmt.png
makecert -r -pe -n "CN=computer.domain.local"
Try that and see if it works.
Try that and see if it works.
ASKER
Here's the error I'm getting when running the command. I tried appending a '2' to the computer name just to see if it was a problem with the name for some reason. I also downloaded the latest version of makecert.exe from the Windows SDK.
D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>make
Error: Can't create the key of the subject ('f3dd8937-604e-4c74-bbfa-
4')
Failed
D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>make
Error: Can't create the key of the subject ('e03eb56d-a014-4287-9c57-
c')
Failed
D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>make
Error: Can't create the key of the subject ('f3dd8937-604e-4c74-bbfa-
4')
Failed
D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>make
Error: Can't create the key of the subject ('e03eb56d-a014-4287-9c57-
c')
Failed
This is the same thing we are experiencing throughout (admin access issues).
The cmd window has to be run as administrator, however you can change the command to create in current user context, or grant your account full permissions on C:\Windows\System32\Micros
Then run the command again.
The cmd window has to be run as administrator, however you can change the command to create in current user context, or grant your account full permissions on C:\Windows\System32\Micros
Then run the command again.
ASKER
Yes, it certainly does seem like permission issues when creating the certificate. I have run the cmd window in the user context (administrator) and also by right clicking and select "Run as administrator". I also checked the MachineKeys directory once more and set permissions to "Include inheritable permissions from this object's parent" and also ran a "replace all child object permissions with inheritable permissions from this object". The security on the MachineKeys directory is: SYSTEM (Full Control), Administrators (Full Control), Users (Read and Execute), Users (Special) and CREATIVE OWNER (Special). The contents of C:\Windows\System32\Micros
I also created a second account, granted it domain admin access and ran the MakeCert command and received the same error.
I also created a second account, granted it domain admin access and ran the MakeCert command and received the same error.
makecert -r -pe -n -sr CurrentUser "CN=computer.domain.local"
See if this works.
See if this works.
ASKER
Here's what i get when running that command:
D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>make
Error: Too many parameters
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
-sk <keyName> Subject's key container name; To be created if not present
-pe Mark generated private key as exportable
-ss <store> Subject's certificate store name that stores the output
certificate
-sr <location> Subject's certificate store location.
<CurrentUser|LocalMachine>
-# <number> Serial Number from 1 to 2^31-1. Default to be unique
-$ <authority> The signing authority of the certificate
<individual|commercial>
-n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)
-? Return a list of basic options
-! Return a list of extended options
D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>make
Error: Too many parameters
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
-sk <keyName> Subject's key container name; To be created if not present
-pe Mark generated private key as exportable
-ss <store> Subject's certificate store name that stores the output
certificate
-sr <location> Subject's certificate store location.
<CurrentUser|LocalMachine>
-# <number> Serial Number from 1 to 2^31-1. Default to be unique
-$ <authority> The signing authority of the certificate
<individual|commercial>
-n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)
-? Return a list of basic options
-! Return a list of extended options
sorry flag in the wrong place:
makecert -r -pe -sr CurrentUser -n "CN=computer.domain.local"
makecert -r -pe -sr CurrentUser -n "CN=computer.domain.local"
ASKER
To update this, we have Microsoft PSS working on the certificate issue. For the last couple days they have been attempting to use the makecert command to generate a new certificate. They are having issues getting the command to run.
Did you ever make any progress on this with Microsoft ?
I would really love to know what they came back with.
I would really love to know what they came back with.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solution was to purchase a new server and migrate the VM to it.
http://support.microsoft.com/kb/971264
The error is specific to "Element not found"
It seems it is complaining the certificate is not found/present.
Some additional troubleshooting:
http://cloudtidings.com/2010/11/19/how-to-fix-the-unspecified-error-0x80004005-could-not-find-a-usable-certificate-windows-2008r2/