Share via


Various Encryption-Related Errors, Causes, and Resolutions in MED-V v1

GrayAndYellowGearsIn previous blog posts, the importance of maintaining consistency of encryption key pairs across MED-V policy servers was discussed as well as proactive maintenance and backups of workspace keys. The following are some more various problems that can result from failing to properly decrypt the MED-V image that will be used by the workspace.

ERROR: Key’s crypto-hash doesn’t match the .enc file!

Symptom: User gets the following error when attempting to start a MED-V workspace:

Workspace ‘Workspace name’ failed to start. Please try starting the Workspace again.

Details: Encountered an unexpected error. Internal error: Key’s crypto-hash doesn’t match the .enc file!

clip_image002

Cause

This error can happen if the MED-V client changes server after image was deployed but the new server has the same workspace and image configured for the same user. This is what happens when multiple servers are deployed in a domain but use different public key pair for encryption. Essentially, you have the same workspace policy and image but different key.

Resolution

To prevent this from happening, ensure your workspace keys and key pair files are kept in sync manually across the multiple servers. Please refer to this article for assistance:

https://blogs.technet.com/b/medv/archive/2010/03/02/the-importance-of-the-med-v-xml-configuration-files.aspx.

If this has already happened, one of the servers will have to reinstalled and overwritten with the correct keypair.xml file. It is important to remember that only the images encrypted using that key pair will be valid.

ERROR: The key may be corrupted or was created by a different server.

Symptom:

User gets the following error when attempting to start a MED-V workspace:

clip_image004

The image encryption key is invalid.

Details: The encryption key for image ‘image name’ is not valid. The key may be corrupted or was created by a different server.

Cause:

This error can happen if the MED-V client changes server before initial authentication and the image was deployed but image was encrypted by on a different server (or a server with a different key pair.) This is what happens when multiple servers are deployed in a domain but use different public key pair for encryption. Essentially, you have the same workspace policy and image but different key. This can happen in the same environment as the “Key’s crypto-hash doesn’t match the .enc file” error, except this error occurs before the image has been downloaded and used at least once.

Resolution

To prevent this from happening, ensure your workspace keys and key pair files are kept in sync manually across the multiple servers. Please refer to this article for assistance:

https://blogs.technet.com/b/medv/archive/2010/03/02/the-importance-of-the-med-v-xml-configuration-files.aspx.

If this has already happened, one of the servers will have to reinstalled and overwritten with the correct keypair.xml file. It is important to remember that only the images encrypted using that key pair will be valid.

ERROR: Key not found for:

Symptom:

User gets the following error when attempting to start a MED-V workspace:

image

Workspace ‘Workspace name’ failed to start. Please try starting the Workspace again.

Details: Encountered an unexpected error. Internal error: key not found for:

Cause:

This can happen if one or more of the following files in the client’s local image repository is corrupt, or in some cases, may be empty:

 

  • <VHDNAME>.EVHD.ENC: The encryption key file for the encrypted virtual hard drive.
  • <VHDUNDONAME>.VUD.ENC: The encryption key file for the encrypted undo disk.
  • <VPCSAVESTATENAME>.VSV.ENC : the encryption key file for the encrypted saved-state file.

clip_image008

These ENC files are very simple and consist of two lines, the corresponding image name followed by the key as shown below:

Example ENC File Contents:

XPImage1

PobsixWPexfLdBZADRU4SGsg4RvWkEfSQz0XF78yrKw=

There are a few options for granularly fixing this without suffering a complete image redeployment.:

1.) If any of the ENC files are empty or corrupt but at least one is correct, you can copy the contents of the valid ENC file into the non-working one. This will only work if at least one of the ENC files is valid.

2.) If the bad ENC file is for a VSV or VUD key then simply removing the ENC file will cause it to be regenerated. The problem with this is it will also cause a new VUD or VSV to be created and all data in the previous copies will no longer be available. The ENC file used for the EVHD cannot be deleted. If this is deleted along with the rest of the ENC files, you will have to re-deploy the image.

ERROR: Root element is missing.

Symptom: A MED-V Workspace fails to start with the following error message:

Failed to start Workspace 'workspace name'

Details show: Unexpected error when trying to verify Workspace prerequisites. Internal error: Root element is missing.

clip_image009

Cause

This is caused by a necessary root element being missing in one of key XML configuration files (*.VMC) being used by the underlying Virtual PC image.

Resolution

1.) Examine the VMC configuration file being used by the workspace inside the \MED-V Images\<image_name>\<version ID> folder. If the file is unreadable or zero bytes, the VMC file is corrupt.

2.) If the workspace is revertible, delete the most recent image version directory (i.e. \MED-V Images\XP-CORPIMG\V3.) Re-attempt to start the workspace. if it fails still, delete the entire image directory for that particular image (i.e. \MED-V Images\XP-CORPIMG.)

3.) If the workspace is persistent, please delete the local image and redeploy a new image.

Steve Thomas | Senior Support Escalation Engineer

The App-V Team blog: https://blogs.technet.com/appv/
The WSUS Support Team blog: https://blogs.technet.com/sus/
The SCMDM Support Team blog: https://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: https://blogs.technet.com/operationsmgr/
The SCVMM Team blog: https://blogs.technet.com/scvmm/
The MED-V Team blog: https://blogs.technet.com/medv/
The DPM Team blog: https://blogs.technet.com/dpm/
The OOB Support Team blog: https://blogs.technet.com/oob/
The Opalis Team blog: https://blogs.technet.com/opalis
The Service Manager Team blog: http: https://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: https://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: https://blogs.technet.com/b/systemcenteressentials

clip_image001 clip_image002