Resolving certificate name mismatches when managing a Hyper-V host in VMM
This blog post comes courtesy of Todd Logan, a colleague at Microsoft.
Use the following steps to resolve a name mismatch error when viewing the remote desktop connection of a VM on a Hyper-V host through VMM (using the Virtual Machine Viewer application). The VMM server in this case is running as a virtual machine.
When you execute the "Connect to virtual machine" action from the VMM Administrator Console, you will get the following error: "The remote computer could not be authenticated due to problems with its security certificate. It mabe be unsafe to proceed". In this case, the popup with the error will give you the Name mismatch parameters. For example:
Requested remote computer: 192.168.1.250
Name in the certificate from the remote computer: democomputer.redmond.contoso.corp.com
How to troubleshoot and fix this issue:
- Use the Internal nic for all virtual machines including the Virtual Machine Management server
- Add the FQDN of the Hyper-V server to local hosts file on the VMM server (which is located in C:\Windows\System32\Drivers\etc\host. You'll need to change the folder options to view the extensions for known file types. An example entry looks like this. 192.168.1.250 democomputer.redmond.contoso.corp.com.
- When adding the host into Virtual Machine Manager, make sure you use the FQDN (democomputer.redmond.contoso.corp.com) and clear the option for host to be in a trusted domain (use the non-trusted domain authentication)
- Finish the rest of the steps to add the host.
- It will take a few minutes to populate all the virtual machines that are running on the Hyper-V host. Once populated, select a VM and connect to it. You'll get prompted with an error warning. Click on the View certificate button and install the certificate by choosing to manually decide where to place the certificate and click the browse button to install it to the trusted root certification authority. Close the dialog box.
- From your VMM server click start, run, and type MMC. From the menu bar select File, then select Add\Remove Snap-in. Select Certificates and then select Add for User. Repeat this process and Add Certificates for local computer.
- Next copy your democomputer.redmond.contoso.corp.com certificate from the user trusted root to the following three places. Right-click the certificate and select copy and then paste into:
a. Certificates - Current User -> Personal -> Certificates
b. Computer (Local Computer) -> Personal -> Certificates
c. Computer (Local Computer) -> Trusted Root Certification Authorities
- Go back to VMM console and attempt to connect to the VM. You'll probably be prompted for your credentials. Enter your valid domain credentials, i.e. contoso\anotheradmin and select the option to remember my credentials.
- At this point you should now be able to connect to a virtual machine without any errors.