My VM's RDP certificate fingerprint changed for some reason. Is there a way for me to verify the new certificate fingerprint in Azure?
Type: Virtual Machine (classic), Machine: Basic_A3, OS: Windows Server
Asked
Active
Viewed 2,904 times
5
-
@MichaelB Looks like Azure machines auto-renew the certificate every 6 months. But who knows if it is supposed to be like that … – Simon Warta Jan 12 '16 at 13:36
3 Answers
5
There are boot diagnostic logs available in Azure, enabled by default, when you boot a virtual machine. You can find them by selecting the virtual machine in the Azure portal; in the menu section 'Support + troubleshooting', select 'Boot diagnostics' and then the tabpage 'Serial log'. These logs list various system parameters as a JSON object, which contains the remoteAccess object seen below.
"remoteAccess": {
"windows": {
"rdpPort": 3389,
"rdpEnabled": true,
"rdpTcpListenerSecurityConfiguration": {
"nlaUserAuthenticationRequired": true,
"authenticationSecurityLayer": "TLS",
"protocolNegotiationAllowed": true
},
"rdpTcpListenerMaxConnections": 2,
"rdpFirewallAccess": "Allowed",
"rdpAllowedUsers": [
"TestUser"
],
"rdpCertificateDetails": {
"subject": "CN=RDPTest",
"thumbprint": "9AD7CB3493790BCAB6FBF543EBBBE68883E9EE89",
"validFrom": "2018-02-17T10:58:42Z",
"validTo": "2018-08-19T10:58:42Z"
},
"rdsLicensingStatus": null
}
}
As you can see, there is an rdpCertificateDetails object that lists the SHA thumbprint of the RDP server certificate. Unlike the Linux boot diagnostics log, it will list the thumbprint every time, so there is no need to worry if it was not recorded on first boot.
When you first connect, there will be an "unknown publisher" warning.
Click through, and enter your credentials. After entering your credentials, it will show an "identity could not be verified" warning. The name of the computer will be the name of the VM in Azure.
Click view certificate, and go to details. Here you can find the thumbprint to verify against the one from the boot diagnostics.
For more detailed instructions on finding the boot diagnostics in the Azure portal, and obtaining the SSH keys for a Linux VM, see my answer on this StackOverflow question.
Glorfindel
- 21,988
- 13
- 81
- 109
lordcheeto
- 1,092
- 12
- 16
-
I'm not seeing that JSON output in the *Serial log* tab. I see XML syntax showing various data like `
`, but no mention of `remoteAccess`. – Max Barraclough May 29 '21 at 12:27 -
1Just tested this, and yes, they appear to have changed the *Serial log* output, which is unfortunate. Found a solution, though. Go to *Operations* > *Run command* > *RunPowerShellScript* and run `Get-ChildItem -Path 'Cert:LocalMachine\Remote Desktop'` to pull the RDP Certificate Thumbprint. – lordcheeto Jun 17 '21 at 03:22
1
If your using a Classic VM (ASM), chances are the legacy Azure Portal can assist you here (manage.windowsazure.com). I know for Linux VMs it displays SSH thumbprints, not sure if it will show auto-enrolled RDP certs. If you have VM extensions enabled then you should be able to deploy the password reset extension on classic VM if needed to reset an RDP configuration.. the portal has it built in though. If you put some more info on the OS and VM model yoru in we'll be able to help you better here.
ericgol
- 2,299
- 1
- 8
- 4
-
Thanks. I added some basic machine infos. There is indeed an RDP fingerprint in the legacy portal. But right now, not the same that I get when connecting. I'll try to find out why. – Simon Warta Jan 19 '16 at 09:19
1
This solved the problem for me.
Log into the VM using PowerShell. (If you do not know how, follow this guide. The certificate for secure login is found here in the new portal: Cloud services (classic) > (vm name) > Settings > Certificates)
Execute the following commands remotely:
set-location cert set-location localmachine set-location "remote desktop" dirThis gives you the certificate thumbprint. Use it to verify the one given when you try to connect using Remote Desktop.
techraf
- 64,883
- 27
- 193
- 198
Martin Johansen
- 131
- 1
- 4