How to verify an Azure virtual machine RDP certificate?

Question

My VM's RDP certificate fingerprint changed for some reason. Is there a way for me to verify the new certificate fingerprint in Azure?

Type: Virtual Machine (classic), Machine: Basic_A3, OS: Windows Server

Answer 1

There are boot diagnostic logs available in Azure, enabled by default, when you boot a virtual machine. You can find them by selecting the virtual machine in the Azure portal; in the menu section 'Support + troubleshooting', select 'Boot diagnostics' and then the tabpage 'Serial log'. These logs list various system parameters as a JSON object, which contains the remoteAccess object seen below.

"remoteAccess": {
    "windows": {
        "rdpPort": 3389,
        "rdpEnabled": true,
        "rdpTcpListenerSecurityConfiguration": {
            "nlaUserAuthenticationRequired": true,
            "authenticationSecurityLayer": "TLS",
            "protocolNegotiationAllowed": true
        },
        "rdpTcpListenerMaxConnections": 2,
        "rdpFirewallAccess": "Allowed",
        "rdpAllowedUsers": [
            "TestUser"
        ],
        "rdpCertificateDetails": {
            "subject": "CN=RDPTest",
            "thumbprint": "9AD7CB3493790BCAB6FBF543EBBBE68883E9EE89",
            "validFrom": "2018-02-17T10:58:42Z",
            "validTo": "2018-08-19T10:58:42Z"
        },
        "rdsLicensingStatus": null
    }
}

As you can see, there is an rdpCertificateDetails object that lists the SHA thumbprint of the RDP server certificate. Unlike the Linux boot diagnostics log, it will list the thumbprint every time, so there is no need to worry if it was not recorded on first boot.

When you first connect, there will be an "unknown publisher" warning.

Click through, and enter your credentials. After entering your credentials, it will show an "identity could not be verified" warning. The name of the computer will be the name of the VM in Azure.

Click view certificate, and go to details. Here you can find the thumbprint to verify against the one from the boot diagnostics.

For more detailed instructions on finding the boot diagnostics in the Azure portal, and obtaining the SSH keys for a Linux VM, see my answer on this StackOverflow question.

Answer 2

If your using a Classic VM (ASM), chances are the legacy Azure Portal can assist you here (manage.windowsazure.com). I know for Linux VMs it displays SSH thumbprints, not sure if it will show auto-enrolled RDP certs. If you have VM extensions enabled then you should be able to deploy the password reset extension on classic VM if needed to reset an RDP configuration.. the portal has it built in though. If you put some more info on the OS and VM model yoru in we'll be able to help you better here.

Answer 3

This solved the problem for me.

1. Log into the VM using PowerShell. (If you do not know how, follow this guide. The certificate for secure login is found here in the new portal: Cloud services (classic) > (vm name) > Settings > Certificates)

2. Execute the following commands remotely:

   set-location cert
   set-location localmachine
   set-location "remote desktop"
   dir
   

3. This gives you the certificate thumbprint. Use it to verify the one given when you try to connect using Remote Desktop.