按事件 ID 排查 Azure VM RDP 连接问题Troubleshoot Azure VM RDP connection issues by Event ID

本文介绍如何使用事件 ID 解决阻止远程桌面协议 (RDP) 连接到 Azure 虚拟机 (VM) 的问题。This article explains how to use event IDs to troubleshoot issues that prevent a Remote Desktop protocol (RDP) connection to an Azure Virtual Machine (VM).

症状Symptoms

尝试使用远程桌面协议 (RDP) 会话连接到 Azure VM。You try to use a Remote Desktop protocol (RDP) session to connect to an Azure VM. 输入凭据后,连接失败,并收到以下错误消息:After you input your credentials, the connection fails, and you receive the following error message:

此计算机无法连接到远程计算机。 再次尝试连接,如果问题仍然存在,请与远程计算机的所有者或网络管理员联系。This computer can't connect to the remote computer. Try connecting again, if the problem continues, contact the owner of the remote computer or your network administrator.

若要解决此问题,请查看 VM 上的事件日志,并参阅以下方案。To troubleshoot this issue, review the event logs on the VM, and then refer to the following scenarios.

在进行故障排除之前Before you troubleshoot

创建备份快照Create a backup snapshot

要创建备份快照,请执行创建磁盘快照中的步骤。To create a backup snapshot, follow the steps in Snapshot a disk.

远程连接到 VMConnect to the VM remotely

若要远程连接到 VM,请使用如何使用远程工具来解决 Azure VM 问题中的方法。To connect to the VM remotely, use one of the methods in How to use remote tools to troubleshoot Azure VM issues.

方案 1Scenario 1

事件日志Event logs

在 CMD 实例中,运行以下命令以检查在过去 24 小时内是否在系统日志中记录了事件 1058 或事件 1057:In a CMD instance, run the following commands to check whether event 1058 or event 1057 is logged in the System log within the past 24 hours:

wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager'] and EventID=1058 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more
wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager'] and EventID=1057 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more

日志名称: 系统Log Name: System
源: Microsoft-Windows-TerminalServices-RemoteConnectionManagerSource: Microsoft-Windows-TerminalServices-RemoteConnectionManager
日期: time Date: time
事件 ID: 1058Event ID: 1058
任务类别:Task Category: None
级别: 错误Level: Error
关键字: 经典Keywords: Classic
用户: 空值User: N/A
计算机: computer Computer: computer
说明: RD 会话主机服务器无法替换 RD 会话主机服务器通过 TLS 连接进行身份验证时使用的过期自签名证书。Description: The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on TLS connections. 相关的状态代码为“访问被拒”。The relevant status code was Access is denied.

日志名称: 系统Log Name: System
源: Microsoft-Windows-TerminalServices-RemoteConnectionManagerSource: Microsoft-Windows-TerminalServices-RemoteConnectionManager
日期: time Date: time
事件 ID: 1058Event ID: 1058
任务类别:Task Category: None
级别: 错误Level: Error
关键字: 经典Keywords: Classic
用户: 空值User: N/A
计算机: computer Computer: computer
说明: RD 会话主机服务器无法创建要在 RD 会话主机服务器通过 TLS 连接进行身份验证时使用的新自签名证书,相关状态代码为“对象已存在”。Description: RD Session host server has failed to create a new self-signed certificate to be used for RD Session host server authentication on TLS connections, the relevant status code was object already exists.

日志名称: 系统Log Name: System
源: Microsoft-Windows-TerminalServices-RemoteConnectionManagerSource: Microsoft-Windows-TerminalServices-RemoteConnectionManager
日期: time Date: time
事件 ID: 1057Event ID: 1057
任务类别:Task Category: None
级别: 错误Level: Error
关键字: 经典Keywords: Classic
用户: 空值User: N/A
计算机: computer Computer: computer
说明: RD 会话主机服务器无法创建要在 RD 会话主机服务器通过 TLS 连接进行身份验证时使用的新自签名证书。Description: The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on TLS connections. 相关状态代码为“不存在 Keyset”The relevant status code was Keyset does not exist

此外可通过运行以下命令检查 SCHANNEL 错误事件 36872 和 36870:You can also check for SCHANNEL error events 36872 and 36870 by running the following commands:

wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Schannel'] and EventID=36870 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more
wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Schannel'] and EventID=36872 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more

日志名称: 系统Log Name: System
源: SChannelSource: Schannel
日期: -Date:
事件 ID: 36870Event ID: 36870
任务类别:Task Category: None
级别: 错误Level: Error
关键字:Keywords:
用户: SYSTEMUser: SYSTEM
计算机: computer Computer: computer
说明: 尝试访问 TLS 服务器凭据私钥时发生灾难性错误。Description: A fatal error occurred when attempting to access the TLS server credential private key. 加密模块返回的错误代码是 0x8009030D。The error code returned from the cryptographic module is 0x8009030D.
内部错误状态为 10001。The internal error state is 10001.

原因Cause

出现此问题的原因是无法访问 VM 上 MachineKeys 文件夹中的本地 RSA 加密密钥。This issue occurs because the local RSA encryption keys in the MachineKeys folder on the VM can't be accessed. 存在以下任一原因时,可能出现此问题:This issue can occur for one of the following reasons:

  1. Machinekeys 文件夹或 RSA 文件上的权限配置错误。Wrong permissions configuration on the Machinekeys folder or the RSA files.

  2. RSA 密钥已损坏或丢失。Corrupted or missing RSA key.

解决方法Resolution

若要解决此问题,必须使用这些步骤在 RDP 证书上设置正确的权限。To troubleshoot this issue, you have to set up the correct permissions on the RDP Certificate by using these steps.

授予 MachineKeys 文件夹的权限Grant permission to the MachineKeys folder

  1. 使用以下内容创建脚本:Create a script by using the following content:

    remove-module psreadline 
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\BeforeScript_permissions.txt
    takeown /f "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /a /r
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\System:(F)"
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\NETWORK SERVICE:(R)"
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "BUILTIN\Administrators:(F)"
    icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\AfterScript_permissions.txt
    Restart-Service TermService -Force
    
  2. 运行此脚本以重置 MachineKey 文件夹的权限并将 RSA 文件重置为默认值。Run this script to reset the permissions of the MachineKey folder and to reset the RSA files to the default values.

  3. 再次尝试访问 VM。Try to access the VM again.

运行脚本后,可以检查以下遇到权限问题的文件:After running the script, you can check the following files that are experiencing permissions issues:

  • c:\temp\BeforeScript_permissions.txtc:\temp\BeforeScript_permissions.txt
  • c:\temp\AfterScript_permissions.txtc:\temp\AfterScript_permissions.txt

更新 RDP 自签名证书Renew RDP self-signed certificate

如果问题仍然存在,请运行以下脚本,确保更新 RDP 自签名证书:If the issue persists, run the following script to make sure that the RDP self-signed certificate is renewed:

Import-Module PKI
Set-Location Cert:\LocalMachine
$RdpCertThumbprint = 'Cert:\LocalMachine\Remote Desktop\'+((Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop\').thumbprint)
Remove-Item -Path $RdpCertThumbprint
Stop-Service -Name "SessionEnv"
Start-Service -Name "SessionEnv"

如果无法更新证书,请按照下列步骤尝试删除该证书:If you can't renew the certificate, follow these steps to try to delete the certificate:

  1. 在同一 VNET 中的另一台 VM 上,打开“运行”框,键入“mmc”,然后按“确定” 。On another VM in the same VNET, open the Run box, type mmc , and then press OK .

  2. 在“文件”菜单中,选择“添加/删除管理单元” 。On the File menu, select Add/Remove Snap-in .

  3. 在“可用的管理单元”列表中,选择“证书”,然后选择“添加” 。In the Available snap-Ins list, select Certificates , and then select Add .

  4. 选择“计算机帐户”,然后选择“下一步” 。Select Computer account , and then select Next .

  5. 选择“另一台计算机”,然后添加有问题的 VM 的 IP 地址 。Select Another computer , and then add the IP address of the VM that has problems.

    备注

    请尝试使用内部网络以避免使用虚拟 IP 地址。Try to use the internal network to avoid using a virtual IP address.

  6. 选择“完成”,然后选择“确认” 。Select Finish , and then select OK .

    选择计算机

  7. 展开证书,转到“远程桌面\证书”文件夹,右键单击证书,然后选择“删除” 。Expand the certificates, go to the Remote Desktop\Certificates folder, right-click the certificate, and then select Delete .

  8. 重启远程桌面配置服务:Restart the Remote Desktop Configuration service:

    net stop SessionEnv
    net start SessionEnv
    

    备注

    此时,如果从 mmc 刷新存储,则证书会再次出现。At this point, if you refresh the store from mmc, the certificate reappears.

请尝试再次使用 RDP 访问 VM。Try to access the VM by using RDP again.

更新 TLS/SSL 证书Update TLS/SSL certificate

如果将 VM 设置为使用 TLS/SSL 证书,请运行以下命令获取指纹。If you set up the VM to use a TLS/SSL certificate, run the following command to get the thumbprint. 然后检查它是否与证书的指纹相同:Then check whether it's the same as the certificate's thumbprint:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SSLCertificateSHA1Hash

如果不同,请更改指纹:If it isn't, change the thumbprint:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SSLCertificateSHA1Hash /t REG_BINARY /d <CERTIFICATE THUMBPRINT>

此外可尝试删除密钥,以便 RDP 使用 RDP 的自签名证书:You can also try to delete the key so that the RDP uses the self-signed certificate for RDP:

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SSLCertificateSHA1Hash

方案 2Scenario 2

事件日志Event log

在 CMD 实例中,运行以下命令以检查在过去 24 小时内是否在系统日志中记录了 SCHANNEL 错误事件 36871:In a CMD instance, run the following commands to check whether SCHANNEL error event 36871 is logged in the System log within the past 24 hours:

wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name='Schannel'] and EventID=36871 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more

日志名称: 系统Log Name: System
源: SChannelSource: Schannel
日期: -Date:
事件 ID: 36871Event ID: 36871
任务类别:Task Category: None
级别: 错误Level: Error
关键字:Keywords:
用户: SYSTEMUser: SYSTEM
计算机: computer Computer: computer
说明: 创建 TLS 服务器凭据时发生灾难性错误。Description: A fatal error occurred while creating a TLS server credential. 内部错误状态为 10013。The internal error state is 10013.

原因Cause

此问题由安全策略造成。This issue is caused by security policies. 禁用较早版本的 TLS(例如 1.0)时,RDP 访问失败。When older versions of TLS (such as 1.0) are disabled, RDP access fails.

解决方法Resolution

RDP 默认使用 TLS 1.0 协议。RDP uses TLS 1.0 as the default protocol. 但是,该协议可能会更改为 TLS 1.1(这是新标准)。However, the protocol might be changed to TLS 1.1, which is the new standard.

若要解决此问题,请参阅使用 RDP 连接到 Azure VM 时排查身份验证错误To troubleshoot this issue, see Troubleshoot authentication errors when you use RDP to connect to Azure VM.

方案 3Scenario 3

如果已在 VM 上安装了“远程桌面连接代理”角色,请检查过去 24 小时内是否存在事件 2056 或事件 1296 。If you have installed the Remote Desktop Connection Broker role on the VM, check whether there's event 2056 or event 1296 within the past 24 hours. 在 CMD 实例中,运行以下命令:In a CMD instance, run the following commands:

wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name=' Microsoft-Windows-TerminalServices-SessionBroker '] and EventID=2056 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more
wevtutil qe system /c:1 /f:text /q:"Event[System[Provider[@Name=' Microsoft-Windows-TerminalServices-SessionBroker-Client '] and EventID=1296 and TimeCreated[timediff(@SystemTime) <= 86400000]]]" | more

日志名称: Microsoft-Windows-TerminalServices-SessionBroker/OperationalLog Name: Microsoft-Windows-TerminalServices-SessionBroker/Operational
源: Microsoft-Windows-TerminalServices-SessionBrokerSource: Microsoft-Windows-TerminalServices-SessionBroker
日期: time Date: time
事件 ID: 2056Event ID: 2056
任务类别: (109)Task Category: (109)
级别: 错误Level: Error
关键字:Keywords:
用户: 网络服务User: NETWORK SERVICE
计算机: computer fqdn Computer: computer fqdn
说明: 无法找到源 Microsoft-Windows-TerminalServices-SessionBroker 的事件 ID 2056 的说明。Description: The description for Event ID 2056 from source Microsoft-Windows-TerminalServices-SessionBroker cannot be found. 未在本地计算机上安装引发此事件的组件,或者安装已损坏。Either the component that raises this event is not installed on your local computer or the installation is corrupted. 可在本地计算机上安装或修复该组件。You can install or repair the component on the local computer.
如果另一台计算机上生成该事件,则必须保存该事件的显示信息。If the event originated on another computer, the display information had to be saved with the event.
事件中包含以下信息:The following information was included with the event:
NullNULL
NullNULL
登录数据库失败。Logon to the database failed.

日志名称: Microsoft-Windows-TerminalServices-SessionBroker-Client/OperationalLog Name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
源: Microsoft-Windows-TerminalServices-SessionBroker-ClientSource: Microsoft-Windows-TerminalServices-SessionBroker-Client
日期: time Date: time
事件 ID: 1296Event ID: 1296
任务类别: (104)Task Category: (104)
级别: 错误Level: Error
关键字:Keywords:
用户: 网络服务User: NETWORK SERVICE
计算机: computer fqdn Computer: computer fqdn
说明: 无法找到源 Microsoft-Windows-TerminalServices-SessionBroker-Client 的事件 ID 1296 的说明。Description: The description for Event ID 1296 from source Microsoft-Windows-TerminalServices-SessionBroker-Client cannot be found. 未在本地计算机上安装引发此事件的组件,或者安装已损坏。Either the component that raises this event is not installed on your local computer or the installation is corrupted. 可在本地计算机上安装或修复该组件。You can install or repair the component on the local computer. 如果另一台计算机上生成该事件,则必须保存该事件的显示信息。If the event originated on another computer, the display information had to be saved with the event. 事件中包含以下信息:The following information was included with the event:
texttext
texttext
远程桌面连接代理尚未准备好进行 RPC 通信。Remote Desktop Connection Broker is not ready for RPC communication.

原因Cause

出现此问题的原因是远程桌面连接代理服务器的主机名已更改,此更改不受支持。This issue occurs because the host name of the Remote Desktop Connection Broker server is changed, which is not a supported change.

主机名具有 Windows 内部数据库的条目和依赖项,这是远程桌面服务场正常工作所必需的。The hostname has entries and dependencies on the Windows Internal Database, which is required by Remote Desktop Service farm in order to be able to work. 在场已生成后更改主机名会导致许多错误,并且会使代理服务器停止工作。Changing the hostname after the farm is already built causes many errors and can cause the broker server to stop working.

解决方法Resolution

若要解决此问题,必须重新安装远程桌面连接代理角色和 Windows 内部数据库。To fix this issue, the Remote Desktop Connection Broker role and the Windows Internal Database must be reinstalled.

后续步骤Next Steps

Schannel Events(Schannel 事件)Schannel Events

Schannel SSP 技术概述Schannel SSP Technical Overview

RDP Fails with Event ID 1058 & Event 36870 with Remote Desktop Session Host Certificate & SSL Communication(使用远程桌面会话托管证书和 SSL 通信导致 RDP 失败,出现事件 ID 1058 和事件 36870)RDP Fails with Event ID 1058 & Event 36870 with Remote Desktop Session Host Certificate & SSL Communication

Schannel 36872 or Schannel 36870 on a Domain Controller(域控制器上的 Schannel 36872 或 Schannel 36870)Schannel 36872 or Schannel 36870 on a Domain Controller

Event ID 1058 — Remote Desktop Services Authentication and Encryption(事件 ID 1058 - 远程桌面服务身份验证和加密)Event ID 1058 — Remote Desktop Services Authentication and Encryption