"A connection will not be made because credentials may not be sent to the remote computer" when I use the Virtual Machine Connection tool to connect to a virtual machine on a Windows Server 2008 Hyper-V-based computer
This article provides help to fix an error that you receive when you try to use Vmconnect.exe to connect to a virtual machine.
Applies to: Windows Server 2012 R2
Original KB number: 954357
Error message description
When you use the Virtual Machine Connection tool (Vmconnect.exe) to connect to a virtual machine on a Windows Server 2008 Hyper-V-based computer, you may receive the following error message:
A connection will not be made because credentials may not be sent to the remote computer. For assistance, contact your system administrator.
Would you like to try connecting again?
Cause
This error occurs if the Credential Security Service Provider (CredSSP) policy on the Windows Server 2008 Hyper-V-based computer is not enabled to authenticate user credentials from a remote location.
Resolution
You can configure CredSSP policy at the time of the Hyper-V role Setup to enable authentication of credentials from a remote user. However, if any of the registry entries that are described in the "Configure the registry" section are not present, the error that is described in the "Symptoms" section will occur. To configure remote user authentication, use one of the following methods.
Method 1: Configure the registry
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
If the CredSSP policy is not set up correctly, you can manually create the policy. To do this, create the following registry entry under several registry subkeys:
Name: Hyper-V
Value type: String Value
Value data: Microsoft Virtual Console Service/*
This registry entry must be created under the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsDomainHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomainHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyDomainHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsDomainHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowSavedCredentialsWhenNTLMOnly
The "How to create the registry entry" section describes how to create the registry entry under the first registry subkey in the list. You must repeat these steps for the remaining registry subkeys.
How to create the registry entry
Follow these steps, and then quit Registry Editor:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsOn the Edit menu, point to New, and then click String Value.
Type Hyper-V, and then press ENTER.
On the Edit menu, click Modify.
Type Microsoft Virtual Console Service/*, and then click OK.
Method 2: Use Group Policy settings
To enable authentication of remote credentials, you can use the Gpedit tool to configure Group Policy settings on the Windows Server 2008 Hyper-V-based computer. To do this, follow these steps:
Start Gpedit.msc.
Expand Computer Configuration, and then expand Administrative Templates.
Expand System, and then click Credentials Delegation.
In the Details pane, double-click Allow Delegating Default Credentials.
Note
If you are using NTLM authentication, use the Allow Default Credentials with NTLM-only Server Authentication entry.
Click Enabled, and then click to select the Concatenate OS defaults with inputs above check box.
Click Show, and then verify that the computer of the remote user is included in the list. If it is necessary, click Add, and then include the computer of the remote user. You can also use wildcard characters. For example, to select all computers, add the following wildcard character: *.
Click OK two times.
Close Group Policy.
Important
This method differs from the method that is described in the "Configure the registry entry" section. The Group Policy configuration will use any Service Principal Name (SPN) from any computer to enable authentication of remote credentials. The method that is described in the "Configure the registry entry" section will enable only authentication of the Microsoft Virtual Console Service.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for