How to verify an Azure virtual machine RDP certificate?

点点圈 提交于 2019-12-10 15:40:00

问题


My VM's RDP certificate fingerprint changed for some reason. Is there a way for me to verify the new certificate fingerprint in Azure?

Type: Virtual Machine (classic), Machine: Basic_A3, OS: Windows Server


回答1:


There are boot diagnostic logs available in Azure, enabled by default, when you boot a virtual machine. You can find them by selecting the virtual machine in the Azure portal; in the menu section 'Support + troubleshooting', select 'Boot diagnostics' and then the tabpage 'Serial log'. These logs list various system parameters as a JSON object, which contains the remoteAccess object seen below.

"remoteAccess": {
    "windows": {
        "rdpPort": 3389,
        "rdpEnabled": true,
        "rdpTcpListenerSecurityConfiguration": {
            "nlaUserAuthenticationRequired": true,
            "authenticationSecurityLayer": "TLS",
            "protocolNegotiationAllowed": true
        },
        "rdpTcpListenerMaxConnections": 2,
        "rdpFirewallAccess": "Allowed",
        "rdpAllowedUsers": [
            "TestUser"
        ],
        "rdpCertificateDetails": {
            "subject": "CN=RDPTest",
            "thumbprint": "9AD7CB3493790BCAB6FBF543EBBBE68883E9EE89",
            "validFrom": "2018-02-17T10:58:42Z",
            "validTo": "2018-08-19T10:58:42Z"
        },
        "rdsLicensingStatus": null
    }
}

As you can see, there is an rdpCertificateDetails object that lists the SHA thumbprint of the RDP server certificate. Unlike the Linux boot diagnostics log, it will list the thumbprint every time, so there is no need to worry if it was not recorded on first boot.

When you first connect, there will be an "unknown publisher" warning.

Click through, and enter your credentials. After entering your credentials, it will show an "identity could not be verified" warning. The name of the computer will be the name of the VM in Azure.

Click view certificate, and go to details. Here you can find the thumbprint to verify against the one from the boot diagnostics.

For more detailed instructions on finding the boot diagnostics in the Azure portal, and obtaining the SSH keys for a Linux VM, see my answer on this StackOverflow question.




回答2:


If your using a Classic VM (ASM), chances are the legacy Azure Portal can assist you here (manage.windowsazure.com). I know for Linux VMs it displays SSH thumbprints, not sure if it will show auto-enrolled RDP certs. If you have VM extensions enabled then you should be able to deploy the password reset extension on classic VM if needed to reset an RDP configuration.. the portal has it built in though. If you put some more info on the OS and VM model yoru in we'll be able to help you better here.




回答3:


This solved the problem for me.

  1. Log into the VM using PowerShell. (If you do not know how, follow this guide. The certificate for secure login is found here in the new portal: Cloud services (classic) > (vm name) > Settings > Certificates)

  2. Execute the following commands remotely:

    set-location cert
    set-location localmachine
    set-location "remote desktop"
    dir
    
  3. This gives you the certificate thumbprint. Use it to verify the one given when you try to connect using Remote Desktop.



来源:https://stackoverflow.com/questions/34744732/how-to-verify-an-azure-virtual-machine-rdp-certificate

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!