尝试通过远程桌面连接到 Azure VM 时发生内部错误An internal error occurs when you try to connect to an Azure VM through Remote Desktop

本文介绍了尝试连接到 Azure 中的虚拟机 (VM) 时可能会遇到的错误。This article describes an error that you may experience when you try to connect to a virtual machine (VM) in Azure.

症状Symptoms

无法使用远程桌面协议 (RDP) 连接到 Azure VM。You cannot connect to an Azure VM by using the remote desktop protocol (RDP). 连接过程停滞在“正在配置远程连接”阶段,或收到以下错误消息:The connection gets stuck on the "Configuring Remote" section, or you receive the following error message:

  • RDP 内部错误RDP internal error
  • 发生了内部错误An internal error has occurred
  • 此计算机无法连接到远程计算机。This computer can't be connected to the remote computer. 请再次尝试连接。Try connecting again. 如果问题持续出现,请与远程计算机的所有者或网络管理员联系。If the problem continues, contact the owner of the remote computer or your network administrator

原因Cause

此问题可能是以下原因造成的:This issue may occur for the following reasons:

  • 无法访问本地 RSA 加密密钥。The local RSA encryption keys cannot be accessed.
  • 已禁用 TLS 协议。TLS protocol is disabled.
  • 证书已损坏或过期。The certificate is corrupted or expired.

解决方案Solution

在执行这些步骤之前,请创建受影响 VM 的 OS 磁盘的快照作为备份。Before you follow these steps, take a snapshot of the OS disk of the affected VM as a backup. 有关详细信息,请参阅拍摄磁盘快照For more information, see Snapshot a disk.

若要排查此问题,可通过将 VM 的 OS 磁盘附加到恢复 VM 来修复 VM 脱机To troubleshoot this issue, repair the VM offline by attaching the OS disk of the VM to a recovery VM.

修复 VM 脱机Repair the VM Offline

将 OS 磁盘附加到恢复 VMAttach the OS disk to a recovery VM

  1. 将 OS 磁盘附加到恢复 VMAttach the OS disk to a recovery VM.
  2. 将 OS 磁盘附加到恢复 VM 后,请确保磁盘在磁盘管理控制台中标记为“联机” 。After the OS disk is attached to the recovery VM, make sure that the disk is flagged as Online in the Disk Management console. 请注意分配给附加的 OS 磁盘的驱动器号。Note the drive letter that is assigned to the attached OS disk.
  3. 开始与恢复 VM 建立远程桌面连接。Start a Remote Desktop connection to the recovery VM.

启用转储日志和串行控制台Enable dump log and Serial Console

若要启用转储日志和串行控制台,请运行以下脚本。To enable dump log and Serial Console, run the following script.

  1. 打开权限提升的命令提示符会话(“以管理员身份运行”)。 Open an elevated command prompt session (Run as administrator).

  2. 运行以下脚本:Run the following script:

    对于此脚本,我们假设分配给附加 OS 磁盘的驱动器号为 F。请将此驱动器号替换为 VM 中的相应值。In this script, we assume that the drive letter that is assigned to the attached OS disk is F. Replace this drive letter with the appropriate value for your VM.

    reg load HKLM\BROKENSYSTEM F:\windows\system32\config\SYSTEM.hiv
    
    REM Enable Serial Console
    bcdedit /store F:\boot\bcd /set {bootmgr} displaybootmenu yes
    bcdedit /store F:\boot\bcd /set {bootmgr} timeout 5
    bcdedit /store F:\boot\bcd /set {bootmgr} bootems yes
    bcdedit /store F:\boot\bcd /ems {<BOOT LOADER IDENTIFIER>} ON
    bcdedit /store F:\boot\bcd /emssettings EMSPORT:1 EMSBAUDRATE:115200
    
    REM Suggested configuration to enable OS Dump
    REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f
    REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f
    
    REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\CrashControl" /v DumpFile /t REG_EXPAND_SZ /d "%SystemRoot%\MEMORY.DMP" /f
    REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\CrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f
    
    reg unload HKLM\BROKENSYSTEM
    

重置 MachineKeys 文件夹的权限Reset the permission for MachineKeys folder

  1. 打开权限提升的命令提示符会话(“以管理员身份运行”)。 Open an elevated command prompt session (Run as administrator).

  2. 运行以下脚本。Run the following script. 对于此脚本,我们假设分配给附加 OS 磁盘的驱动器号为 F。请将此驱动器号替换为 VM 中的相应值。In this script, we assume that the drive letter that is assigned to the attached OS disk is F. Replace this drive letter with the appropriate value for your VM.

     Md F:\temp
    
     icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\BeforeScript_permissions.txt
    
     takeown /f "F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /a /r
    
     icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\System:(F)"
    
     icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "NT AUTHORITY\NETWORK SERVICE:(R)"
    
     icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c /grant "BUILTIN\Administrators:(F)"
    
     icacls F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /t /c > c:\temp\AfterScript_permissions.txt
    

启用所有受支持的 TLS 版本Enable all supported TLS versions

  1. 打开权限提升的命令提示符会话(“以管理员身份运行”),然后运行以下命令。 Open an elevated command prompt session (Run as administrator), and the run the following commands. 以下脚本假设分配给附加 OS 磁盘的驱动器号为 F。请将此驱动器号替换为 VM 中的相应值。The following script assumes that the driver letter is assigned to the attached OS disk is F. Replace this drive letter with the appropriate value for your VM.

  2. 检查启用了哪个 TLS:Check which TLS is enabled:

     reg load HKLM\BROKENSYSTEM F:\windows\system32\config\SYSTEM.hiv
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWO
    
  3. 如果该密钥不存在或者其值为 0,请运行以下脚本来启用该协议:If the key doesn't exist, or its value is 0, enable the protocol by running the following scripts:

     REM Enable TLS 1.0, TLS 1.1 and TLS 1.2
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
    
  4. 启用 NLA:Enable NLA:

     REM Enable NLA
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f
    
     REG ADD "HKLM\BROKENSYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 1 /f reg unload HKLM\BROKENSYSTEM
    
  5. 拆离 OS 磁盘并重新创建 VM,然后检查问题是否得以解决。Detach the OS disk and recreate the VM, and then check whether the issue is resolved.