Fix authentication errors when using RDP to connect to Azure VM - Virtual Machines (2023)

This article can help you troubleshoot authentication errors that occur when you use the Remote Desktop Protocol (RDP) connection to connect to an Azure virtual machine (VM).

symptoms

Captures a screenshot of an Azure VM showing the welcome screen and indicating that the operating system is running. However, when you try to connect to the virtual machine using Remote Desktop Connection, you receive one of the following error messages:

• An authentication error has occurred. The local security authority cannot be reached.
• The remote computer that you are trying to connect to requires network level authentication (NLA), but the Windows domain controller cannot be contacted to perform the NLA. If you are an administrator on the remote computer, you can disable NLA using the options on the Remote tab in the System Properties dialog box.
• This computer cannot connect to the remote computer. Try connecting again. If the problem persists, contact the owner of the remote computer or your network administrator.

cause

There are several reasons why NLA can block RDP access to a virtual machine:

• The VM cannot communicate with the domain controller (DC). This issue can prevent an RDP session from accessing a virtual machine using domain credentials. However, you can still log in using local administrator credentials. This problem can occur in the following situations:
  • The Active Directory security channel between this virtual machine and the domain controller is broken.
  • The VM has an old copy of the account password and the DC has a newer copy.
  • The domain controller to which this virtual machine connects is not healthy.
• The encryption level of the VM is higher than that of the client machine.
• The TLS 1.0, 1.1 or 1.2 (server) protocols are disabled on the virtual machine. The virtual machine has been configured to disable logging in with domain credentials and the Local Security Authority (LSA) is misconfigured.
• The virtual machine has been configured to only accept connections from Federal Information Processing Standard (FIPS) compliant algorithms. This is typically done using Active Directory policy. This is a rare setting, but FIPS only applies to remote desktop connections.

Before troubleshooting

Create a backup snapshot

To create a backup snapshot, follow the steps inSnapshot of a hard drive.

Connect to the virtual machine remotely

To connect to the virtual machine remotely, use one of the methods inHow to use remote tools to troubleshoot Azure virtual machines.

Group Policy Customer Service

If the virtual machine is a domain-joined virtual machine, first stop the Group Policy Client service to prevent Active Directory policy changes from being overridden. To do this, run the following command:

REM Disable the member server to get the latest domain GPO after startREG has added "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v Start /t REG_DWORD /d 4 /f

Once the issue is resolved, restore the ability of this VM to communicate with the domain to get the latest GPO for the domain. To do this, run the following commands:

sc config gpsvc start= autosc start gpsvcgpupdate /force

If the change is reverted, it means an Active Directory policy is causing the problem.

alternative solution

As a workaround to connect to the VM and troubleshoot the cause, you can temporarily disable NLA. To disable NLA use the following commands or use theDisable NLAscript onRun the command.

Disable REM Network Level Authentication logging and add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0

Then restart the VM and continue to the troubleshooting section.

After fixing the issue, re-enable NLA by running the following commands and restarting the virtual machine:

REG agregar "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v disabledomaincreds /t REG_DWORD /d 0 /fREG agregar "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD / d1/f

Troubleshooting

1. Troubleshoot problems with domain-joined virtual machines.
2. Troubleshooting standalone VMs.

Troubleshoot domain-joined virtual machines

To solve this problem:

1. Make sure the virtual machine can connect to a domain controller.
2. Check the health of DC.

Connect to the VM that is having the issueKonsolenserie, Remote-CMD oder Remote-PowerShell, according to the steps ofConnect to the virtual machine remotelySection.

1. Determine the domain controller that the virtual machine is trying to connect to. Run the following command in the console:

   set | Locate /i "SESSION LOGIN SERVER"

2. Test the integrity of the secure channel between the virtual machine and the domain controller. To do this, run theTest-ComputerSecureChannelCommand in an elevated instance of PowerShell. This command returns True or False and indicates whether the secure channel is active:

   (Video) Troubleshooting RDP issues on Azure VM

   Test-ComputerSecureChannel -verbose

   If the channel is broken, run the following command to fix it:

   Test-ComputerSecureChannel repair

3. Ensure that the password for the computer account in Active Directory is up to date on both the VM and the DC:

   Reset-ComputerMachinePassword -Server "<COMPUTERNAME>" -Credential <DOMAIN CREDENTIAL WITH DOMAIN ADMINISTRATOR LEVEL>

If communication between the domain controller and the VM is good, but the domain controller is not healthy enough to open an RDP session, try restarting the domain controller.

If the above commands do not resolve the domain communication issue, you can rejoin this virtual machine to the domain. To do this, follow these steps:

1. Create a script named Unjoin.ps1 with the following content, and then implement the script ascustom script extensionno Azure portal:

   cmd /c "netdom remove <<MachineName>> /domain:<<DomainName>> /userD:<<DomainAdminHere>> /passwordD:<<PasswordHere>> /reboot:10 /Force"

   This script forcibly removes the VM from the domain and restarts the VM 10 seconds later. Next you need to clean up the computer object on the domain side.

   See Also

   Use tenant restrictions to manage access to SaaS applications - Microsoft EnterIntroduction to Microsoft Enter Verified ID - Microsoft EnterConfigure the Remote Desktop web client for your usersAuthorization code expiration - Azure Active Directory B2C

2. After the cleanup is complete, join this virtual machine back to the domain. To do this, create a script called JoinDomain.ps1 with the following content, and then deploy the script as a custom script extension in the Azure portal:

   cmd /c "netdom join <<NombreMáquina>> /dominio:<<NombreDominio>> /userD:<<DomainAdminhere>> /passwordD:<<PasswordHere>> /reboot:10"

If the Active Directory channel is healthy, the computer's password is up to date, and the domain controller is working as expected, try the following steps.

If the problem persists, check if domain credentials are disabled. To do this, open an elevated Command Prompt window and run the following command to determine if the VM is configured to disable domain accounts from logging into the VM:

Consult REG "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v disabledomaincreds

If the key is set to 1, it means the server has been configured not to allow domain credentials. Change this key to 0.

Troubleshooting standalone virtual machines

Check the minimum encryption level

In a CMD instance, run the following command to get theMinEncryptionLevelRegistry value:

consult the registry "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel

Depending on the registry value, do the following:

• 4 (FIPS): Check connections for FIP-compliant algorithms.

• 3 (128-bit encryption): Set the severity to 2 by running the following command:

  Registrierung agregar "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 2 /f

• 2 (highest possible encryption as set by the client): You can try setting the encryption to the minimum value of1Running the following command:

  Registrierung agregar "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 1 /f

Reboot the VM for the registry changes to take effect.

TLS-Version

Depending on the system, RDP uses the TLS 1.0, 1.1 or 1.2 (server) protocol. To see how these logs are configured on the virtual machine, open a CMD instance and run the following commands:

Consult registry "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabledreg Consult "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" / v Enabledreg consulta "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Habilitado

If the return values ​​are not all1, it means the protocol is disabled. Run the following commands to enable these logs:

Registrieren Sie "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Habilitado /t REG_DWORD /d 1 /freg agregar "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Anpassung /t REG_DWORD /d 1 /freg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Anpassung /t REG_DWORD /d 1 /f

For other versions of the log, you can run the following commands:

Consult registry "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS x.x\Server" /v EnabledConsult registry "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS x.x\Server" /v Enables

Check the connections for FIP-compatible algorithms

Remote Desktop can be enforced to only use connections with FIP-compliant algorithms. This can be configured with a registry key. To do this, open an elevated Command Prompt window and check the following keys:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy registry query /v Enabled

When the command returns1, change the registry value to0.

Registry query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy" /v Enabled /t REG_DWORD /d 0

Check currentMinEncryptionLevelin virtual machine:

consult the registry "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel

When the command returns4, change the registry value to2

Consult the registry "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t REG_DWORD /d 2

Reboot the VM for the registry changes to take effect.

Next Steps

• SetEncryptionLevel method of the Win32_TSGeneralSetting class
• Configure server authentication and encryption levels
• General configuration of the Win32_TS class

If you have any questions or need help,create a support request, is freightAzure-Community-Support. You can also send product feedback toAzure-Community-Support.