Using Hyper-V 2012 r2, connecting to the console results in: A certification authority could not be contacted for authentication.

I'm having some trouble with authentication to guests from my Hyper-V console.

If I try to connect from the Hyper-V Manager to the console of any guest, I get the error:
"A certification authority could not be contacted for authentication. If you are using a Remote Desktop Gateway with a smart card, try connecting to the remote computer using a password. For assistance, contact your system administrator or technical support."

I'm not using an RDG and smart card.

I have 2 virtual networks. The first is Production, the second is Isolated. Production has 2 NICs attached to the Production LAN, the second has 2 NICs in our DMZ. The host is a member server of the production domain. I can use MSTSC from the LAN or the DMZ to gain access to each Guest and the Host.

The issues start if I try "Connect" from Hyper-V Manager in an attempt to use the console of any Guest. Each attempt fails with the above error. If I use an incorrect password, I get a different error: "The credentials that were used to connect to {Server FQDN} did not work. Please enter new credentials."

Taking a look at the the event logs, I can see the session successfully authenticating to the Guest (4776 Credential validation and 4624 Logon), and the fact I get a different error if I enter an incorrect password show I get some way along the line. However if I take a look at the logs on the Host, however I get:

An account failed to log on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0    

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        
        Account Domain:        

    Failure Information:
        Failure Reason:        An Error occured during Logon.
        Status:            0xC000006D
        Sub Status:        0xC000005E

    Process Information:
        Caller Process ID:    0x0
        Caller Process Name:    -

    Network Information:
        Workstation Name:    -
        Source Network Address:    -
        Source Port:        -

    Detailed Authentication Information:
        Logon Process:        Kerberos
        Authentication Package:    Kerberos
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Which looks to me like a blank authentication request is being sent? (I've not deleted any machine/domain names, they're just not present)

Any suggestions? Do you think I'm barking up the wrong tree?

Thoughts and comments gratefully received