Configuring Certificates for Virtual Machine Connection

Applies To: Windows Server 2008, Windows Server 2008 R2

Tip

These procedures are intended for advanced users; required steps include editing the registry. You should perform these steps only if the default behavior of Hyper-V does not meet the needs or policies of your environment.

One security issue that Hyper-V was designed to address is better protection against “man in the middle” attacks (sometimes referred to as MITM). Use of trusted certificates can help protect against MITM attacks. When you use the Virtual Machine Connection tool or a custom application that uses Remote Desktop Protocol (RDP) ActiveX controls, Hyper-V uses a single-port listener that utilizes trusted certificates for server authentication. (This does not occur when you use the Remote Desktop Connection client, because it does not use the single port listener.) As explained later in this topic, under certain circumstances Hyper-V issues a self-signed certificate that is then used for server authentication. As an alternative to this approach, you can configure Hyper-V to use a different certificate, such as one issued by a certification authority (CA).

Tip


During a MITM attack, a malicious party listens and intercepts communication between two parties, then injects information into the communication stream, without the knowledge of the two communicating parties. This information triggers some action that amounts to a security breach.

Certificate requirements and selection

Hyper-V Virtual Machine Management Service (VMMS) requires that a certificate meet all of the following criteria to be considered a valid certificate. The certificate must have:

  • A valid certificate chain, which is connected to a trusted root certificate

  • A “Subject Name” that matches the FQDN of the machine

  • A purpose of “Server Authentication”

  • A private key file that includes ‘read’ access for the Virtual Machine group security ID (SID).

When VMMS starts, Hyper-V searches for an existing, valid certificate to prepare for future communication requests. If one is not found, Hyper-V generates a self-signed certificate in the VMMS certificate store. The search for a certificate occurs as follows:

  1. First, Hyper-V checks the registry for the thumbprint value of a certificate, under \HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization\AuthCertificateHash. Hyper-V uses this value to try to locate a matching certificate.

  2. If no matching, valid certificate is found, Hyper-V checks the certificate store of the computer.

  3. If no valid certificate is found in the certificate store of the computer, Hyper-V checks the VMMS certificate store, under Hyper-V Virtual Machine Management Service (VMMS).

  4. If the VMMS certificate store does not contain a certificate that is valid for use with Hyper-V, VMMS generates a self-signed certificate in its service certificate store.

Deploying a certificate issued by a CA

If you do not want to use a self-signed certificate, you can obtain a certificate issued by a certification authority (CA) and then deploy that certificate to use with Hyper-V. The following steps assume that you have obtained a certificate from a CA and stored it in the certificate store of the computer account of the server running Hyper-V.

To deploy a certificate issued by a CA

  1. Prevent Hyper-V from generating a self-signed certificate by adding a registry key.

    1. Open Windows PowerShell.

    2. Run the following command:

      reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization" /v "DisableSelfSignedCertificateGeneration" /f /t REG_QWORD /d 1

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

  1. Check the VMMS certificate store for a self-signed certificate and delete it if it exists.

    1. Open the Certificates snap-in.

      1. Open Microsoft Management Console. Click Start, click Run, type mmc, and then click OK.

      2. Under the File menu, click Add/Remove Snap-in.

      3. Under Available snap-ins, click Certificates.

      4. Click Service account, and then click Next.

      5. Click Local computer and then click Next.

      6. In the Service account list, select Hyper-V Virtual Machine Management and then click Finish.

    2. In the navigation pane, expand Certificates. Expand vmms\Personal and then click the Certificates folder.

    3. In the details pane (center pane), right-click the certificate and click Delete.

    4. Expand vmms\Trusted Root Certification Authorities and click Certificates. Find the copy of the certificate that you deleted in the previous step and delete it from this folder.

    5. Close the Certificates snap-in.

  2. Find the thumbprint value of new certificate that you want to deploy.

    1. Open the Certificates snap-in again to load the certificate store of the computer. Select Computer account, and then complete the wizard to load the certificate store.

    2. In the Details pane, double-click the certificate and then click the Details tab.

    3. Select Thumbprint. If it does not appear in the list, set Show to <All>.

    4. In the text box below the list, copy the hexadecimal value.

    5. Paste the string into a text file for use later in this procedure.

  3. Open or switch back to Windows PowerShell.

  4. Find the private key file of the certificate.

    1. Copy the following string and replace thumbprint_value with the string value you copied in the previous step.

      $certs = dir cert:\ recurse | ? { $_.Thumbprint -eq "thumbprint_value" }

    2. Run the command.

    3. Run the following command to obtain a certificate object:

      $cert = @($certs)[0]

    4. Run the following command to obtain the private key file name of the certificate:

      $location = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

  5. Run the following commands in the order shown to modify the access control list (ACL) so that the Virtual Machine group security identifier has read access. Text in quotes in the following commands represents literal values, not placeholder text, and should be included as shown in the command strings.

    $folderlocation = gc env:ALLUSERSPROFILE

    $folderlocation = $folderlocation + "\Microsoft\Crypto\RSA\MachineKeys\"

    $filelocation = $folderlocation + $location

    icacls $filelocation /grant "*S-1-5-83-0:(R)"

  6. Verify that the Virtual Machine group has read access to the certificate.

    1. Switch back to the Certificates snap-in to view the certificate store of the computer account.

    2. In the Details pane, right-click the certificate, click All Tasks, and then click Manage Private Keys.

    3. Under Group or user names, select Virtual Machines.

    4. Under Permissions for Virtual Machines, verify that Read is set to Allow.

  7. Run the following commands to set the registry key to the hash value of the certificate:

    $thumbprint = $cert.Thumbprint

    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Virtualization" /v "AuthCertificateHash" /f /t REG_BINARY /d $thumbprint

  8. If the version of Hyper-V is earlier than the one included in Windows Server 2008 R2, perform the following steps:

    1. Run the following commands:

      Net stop vmms

      Net start vmms

    2. Switch to or open Hyper-V Manager. Save the state of each running virtual machine and then restore each one.