title | description | services | documentationCenter | author | manager | ms.service | ms.collection | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.custom |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
An internal error occurs when you make an RDP connection to Azure Virtual Machines |
Learn how to troubleshoot RDP internal errors in Microsoft Azure. |
virtual-machines |
genlin |
dcscontentpm |
virtual-machines |
windows |
troubleshooting |
vm-windows |
infrastructure |
02/23/2020 |
genli |
sap:Cannot connect to my VM |
Applies to: ✔️ Windows VMs
This article describes an error that you may experience when you try to connect to a virtual machine (VM) in Microsoft Azure.
[!INCLUDE Feedback]
You can't connect to an Azure VM by using the remote desktop protocol (RDP). The connection gets stuck on the Configuring Remote section, or you receive the following error message:
- RDP internal error
- An internal error has occurred
- This computer can't be connected to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator
This issue might occur for the following reasons:
- The virtual machine might have been attacked.
- The local RSA encryption keys can't be accessed.
- TLS protocol is disabled.
- The certificate is corrupted or expired.
To troubleshoot this issue, complete the steps in the following sections. Before you begin, take a snapshot of the OS disk of the affected VM as a backup. For more information, see Snapshot a disk.
First, check to see whether the network security group for RDP port 3389 is unsecured (open). If it's unsecured and it shows * as the source IP address for inbound, restrict the RDP port to a specifc user's IP address, and then test RDP access. If this fails, complete the steps in the next section.
Use the Serial Console or repair the VM offline by attaching the OS disk of the VM to a recovery VM.
To begin, connect to the Serial Console and open a PowerShell instance. If the Serial Console is not enabled on your VM, go to the repair the VM offline section.
-
In a PowerShell instance, use the NETSTAT to check whether port 3389 is used by other applications:
Netstat -anob |more
-
If Termservice.exe is using 3389 port, go to step 2. If another service or application other than Termservice.exe is using 3389 port, follow these steps:
-
Stop the service for the application that is using the 3389 service:
Stop-Service -Name <ServiceName> -Force
-
Start the terminal service:
Start-Service -Name Termservice
-
-
If the application cannot be stopped, or if this method does not apply to you, change the port for RDP:
-
Change the port:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -name PortNumber -value <Hexportnumber> Stop-Service -Name Termservice -Force Start-Service -Name Termservice
-
Set the firewall for the new port:
Set-NetFirewallRule -Name "RemoteDesktop-UserMode-In-TCP" -LocalPort <NEW PORT (decimal)>
-
Update the network security group for the new port in the Azure portal RDP port.
-
-
In a PowerShell instance, run the following commands one by one to renew the RDP self-signed certificate:
Import-Module PKI Set-Location Cert:\LocalMachine $RdpCertThumbprint = 'Cert:\LocalMachine\Remote Desktop\'+((Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop\').thumbprint) Remove-Item -Path $RdpCertThumbprint Stop-Service -Name "SessionEnv" Start-Service -Name "SessionEnv"
-
If you cannot renew the certificate by using this method, try to renew the RDP self-signed certificate remotely:
-
From a working VM that has connectivity to the VM that is experiencing problems, type mmc in the Run box to open Microsoft Management Console.
-
On the File menu, select Add/Remove Snap-in, select Certificates, and then select Add.
-
Select Computer accounts, select Another Computer, and then add the IP address of the problem VM.
-
Go to the Remote Desktop\Certificates folder, right-click the certificate, and then and select Delete.
-
In a PowerShell instance from the Serial Console, restart the Remote Desktop Configuration service:
Stop-Service -Name "SessionEnv" Start-Service -Name "SessionEnv"
-
-
Reset the permission for the MachineKeys folder.
remove-module psreadline md c:\temp icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\BeforeScript_permissions.txt takeown /f "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /a /r icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\System:(F)" icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\NETWORK SERVICE:(R)" icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "BUILTIN\Administrators:(F)" icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\AfterScript_permissions.txt Restart-Service TermService -Force
-
Restart the VM, and then try Start a Remote Desktop connection to the VM. If the error still occurs, go to the next step.
The RDP client uses TLS 1.0 as the default protocol. However, this can be changed to TLS 1.1, which has become the new standard. If TLS 1.1 is disabled on the VM, the connection will fail.
-
In a CMD instance, enable the TLS protocol:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
-
To prevent the AD policy from overwriting the changes, stop the group policy update temporarily:
REG add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v Start /t REG_DWORD /d 4 /f
-
Restart the VM so that the changes take effect. If the issue is resolved, run the following command to re-enable the group policy:
sc config gpsvc start= auto sc start gpsvc gpupdate /force
If the change is reverted, it means that there's an Active Directory policy in your company domain. You have to change that policy to avoid this problem from occurring again.
- Attach the OS disk to a recovery VM.
- After the OS disk is attached to the recovery VM, make sure that the disk is flagged as Online in the Disk Management console. Note the drive letter that is assigned to the attached OS disk.
- Start a Remote Desktop connection to the recovery VM.
To enable dump log and Serial Console, run the following script.
-
Open an elevated command prompt session (Run as administrator).
-
Run the following script:
In this script, we assume that the drive letter that is assigned to the attached OS disk is F. Replace this drive letter with the appropriate value for your VM.
reg load HKLM\BROKENSYSTEM F:\windows\system32\config\SYSTEM REM Enable Serial Console bcdedit /store F:\boot\bcd /set {bootmgr} displaybootmenu yes bcdedit /store F:\boot\bcd /set {bootmgr} timeout 5 bcdedit /store F:\boot\bcd /set {bootmgr} bootems yes bcdedit /store F:\boot\bcd /ems {<BOOT LOADER IDENTIFIER>} ON bcdedit /store F:\boot\bcd /emssettings EMSPORT:1 EMSBAUDRATE:115200 REM Suggested configuration to enable OS Dump REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f reg unload HKLM\BROKENSYSTEM
-
Open an elevated command prompt session (Run as administrator).
-
Run the following script. In this script, we assume that the drive letter that is assigned to the attached OS disk is F. Replace this drive letter with the appropriate value for your VM.
Md F:\temp icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\BeforeScript_permissions.txt takeown /f "F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /a /r icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\System:(F)" icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\NETWORK SERVICE:(R)" icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "BUILTIN\Administrators:(F)" icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\AfterScript_permissions.txt
-
Open an elevated command prompt session (Run as administrator), and the run the following commands. The following script assumes that the driver letter is assigned to the attached OS disk is F. Replace this drive letter with the appropriate value for your VM.
-
Check which TLS is enabled:
reg load HKLM\BROKENSYSTEM F:\windows\system32\config\SYSTEM REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
-
If the key doesn't exist, or its value is 0, enable the protocol by running the following scripts:
REM Enable TLS 1.0, TLS 1.1 and TLS 1.2 REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
-
Enable NLA:
REM Enable NLA REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f reg unload HKLM\BROKENSYSTEM
-
Detach the OS disk and recreate the VM, and then check whether the issue is resolved.
Reeploy the VM This will put the VM on a healthier host node.
Warning
This will require your VM to be restarted which would require downtime.
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]