Login with RDP to a Windows Azure VM using Azure AD

There are no Azure domain services provisioned. We would like to use Azure Active Directory to authenticate users in VM.

If a VM is joined by using Azure Domain Services then you don’t need to follow this article. If not, then read on.

If MFA is enabled, we will need Azure AD conditional access policy that’s available in Azure Active Directory Premium P2 license. Otherwise, Azure AD login to VM from external wouldn’t work.

Why do we need Azure AD Logins?

We use Microsoft Integrated Azure Active Directory (AAD) authentication to improve the security of Windows and Linux virtual machines in Azure. This helps us to centrally control and enforce policies that allow or deny access to the VMs. Available tools on Azure like Azure role-based access control (RBAC) and Azure AD conditional Access allows to control who can access a VM remotely.

Azure VMs provisioning is simple but the challenges is how to securely manage the accounts and credential used to log in to those VMS. People often follow the risky practice of sharing admin account and password among group of people. This makes it really hard to protect production windows VM.

Microsoft has a new feature Azure AD authentication that can be used to connect Windows VM in Azure. We are going to setup a VM that can be used to access via Remote Desktop using Azure Active Directory.

I am assuming that you have;

  1. Azure subscription
  2. Azure VM running Windows Server 2019 Datacenter edition or Windows 10 version 1809 and later
  3. When you create a windows virtual machine in Azure, make sure you have selected “Login with AAD credentials” in the Management blade. Once you select Login with AAD credentials, the “system assigned managed identity” will be automatically selected as shown in the figure below;

To verify that Windows virtual machine does support Azure AD Login, make sure that AAD Login extension is provisioned successfully from the virtual machine blade under Settings -> Extensions.

If you don’t see the extension, you can download it using Azure CLI;

az vm extension set \
    --publisher Microsoft.Azure.ActiveDirectory \
    --name AADLoginForWindows \
    --resource-group database-stg-vm-rg \
    --vm-name {yourVMName}

You can create a new Conditional Access Policy to exclude MFA requirements on Azure Windows VM Sign-in;

You need Windows 10 PC that is;

  1. Either Azure AD registered (starting Windows 10 20H1)
  2. Or Azure AD joined
  3. Or Hybrid Azure
  4. Or stored credentials in windows credential manager

to the same directory as the VM in Azure.

Following steps are needed to finalize Azure and Azure VM configuration;

  1. Select Virtual machine’s blade in Azure Portal -> Windows VM -> Access Control (IAM).
  2. Select Role assignments -> Add -> Add role assignment
  3. Using Add role assignment blade, choose one role (Virtual Machine Administrator Login, Virtual Machine User Login, Virtual Machine Contributor Login).
  4. Choose Azure User that will have this role. You can add a Azure security group if you have multiple user’s
  • Go to Azure VM in the Azure Portal and click Connect button. This will allow you to download RDP file. This file has Public IP address of virtual machine.
  • Login to your VM using RDP file. Open Command Prompt in elevated mode and type following command;

dsregcmd /status

This command will output device and SSO state. You can read more about it here;

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#troubleshoot-sign-in-issues

The output say that SSOS State for AzureADPrt is No, and the Device State for AzureAdJoined is set to YES. However the SSO State for AzureADPrt should be set to YES and not NO.

As per Microsoft, upgrade to the latest windows version will switch AzureAdPrt to YES. This did not work in this case.

A workaround. modify downloaded RDP file and add these two lines;

enablecredsspsupport:i:0
authentication level:i:2

The first command will disable CredSSP support and the next on to set the authentication level to 2. This tell the server if server authentication fails, show a warning and allow to connect/refuse.

  • Open Control Panel -> System ->Remote Settings and uncheck this;
  • Add Azure Users to Remote Desktop Users group in VM. This step can not be done through GUI because VM is not joined through Azure Domain Services or simply put Azure Active Directory does not exits. Open command prompt in elevated permission mode and run following command to add user/group to VM Remote Desktop users group;

net localgroup “remote desktop users” /add AzureAdusername@domain.com

You can verify Azure Users by going to Remote Desktop Users group on VM.

  • You are ready to test your VM using RDP. Once logged-in to VM, verify its you;

whoami

Resources

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows

https://charbelnemnom.com/log-in-with-rdp-to-a-windows-azure-vm-using-azure-ad/

Manage another user (service account) credentials for network access

I have a Windows account that is used for running services (i.e. it’s not intended that any person should log in as that account). Turns out one of the services needs to access a remote network share that’s on a machine in a different Windows domain, and so needs to supply remote credentials to get to that share.

Now if it was me needing to access the remote share, I would simply open Credential Manager, and save the required credentials. But it’s not me, and my understanding of credential manager is it only saves credentials to be used by the logged in user.

I can of course solve this problem. I temporarily elevate the privileges of the service account to allow interactive logins, then I login as that user and use credential manager to store the correct remote credentials. Then I remove the interactive login privileges. But that feels very hacky and not the kind of thing I ought to be doing.

The work around is to log in with your normal user account and then run following in an elevated command prompt;

runas /user:serviceaccountname "%windir%\system32\cmdkey.exe /add:server.domain.com /user:username /pass:password"

For example, if service account need permission on Azure storage then;

runas /user:yourUserName.onmicrosoft.com "%windir%\system32\cmdkey.exe /add:{storageAccountName}.file.core.windows.net /user:Azure\{storageAccountName} /pass:sharedkeyofthestorageaccount=="

You will be prompted for credential. Put in your service account name and password. The credential for the service account will be stored in credential manager and you will be good to go;

Resource

https://superuser.com/questions/537697/manage-another-users-credentials-for-network-access

Windows 10 screenshots

We can capture the screen and use a program, for example Greeshot, to open captured image.

Here are the tips to capture screen;

Print Screen 

The easiest way to take a screenshot on Windows 10 is the Print Screen (PrtScn) key. To capture your entire screen, simply press PrtScn on the upper-right side of your keyboard. 

The screenshot will be saved to your Clipboard.

Windows + Print Screen

To take a screenshot on Windows 10 and automatically save the file, press the Windows key + PrtScn

Your screen will go dim and a screenshot of your entire screen will save to the Pictures > Screenshots folder.

Alt + Print Screen 

To capture only the active window you’re working in and copy it to your Clipboard, press Alt + PrtScn

Snip & Sketch tool

To activate Snip & Sketch, use the keyboard shortcut Windows Key + Shift + S. Your screen will dim and a mini menu will appear at the top of your screen, giving you the option to take a rectangular, free-form, window, or full-screen capture. 

Game Bar 

The Game Bar is an overlay you can use within most Windows 10 apps and games to take screenshots and record video. To open the Game Bar, press Windows Key + G

Power + Volume Up 

To take a screenshot on Windows 10 with a Microsoft Surface device, press the Power Button + Volume Up Button. The screen will dim, and your screenshot will save to the Pictures > Screenshots folder. 

Third-party screenshot apps for Windows 

If you’re unsatisfied with any of the built-in Windows methods, there are third-party screenshot tools worth considering.;

  •  GIFs, take full-page screenshots, and more. The downside? The premium version costs $50. There’s also a 30-day free trial, although any picture you capture during this trial will be watermarked.
  • Lightshot is a free screenshot tool designed for quick social sharing. When you download and install Lightshot on Windows 10, it replaces the Print Screen function and offers more editing capabilities.
  • Greenshot is another free tool that allows you to edit and customize screenshots, as well as the option to capture a complete scrolling web page.

Windows Snip & Sketch alternative

I like windows snip and sketch tool. The only draw back, you take a snapshot and if you want to draw rectangle around an area, it’s not possible in this tool. The snapshot has to be copied into MS Paint or Power Point to annotate. It’s kind a two step process.

The alternative is to use Greenshot which is a full featured snipping tool. Greenshot does come with an editor where you can easily add arrows, text, shapes, blur out/pixelate sensitive information.

Greenshot automatically copy the screenshot to the clipboard. At the time of installation it gets registered with windows and always available in the taskbar. If I need to edit a screenshot, I can right-click the greenshot icon and choose: Open Image from clipboard to access it in the editor. Once done, I then either save the image there or choose copy to clipboard, to send the edited version back to the clipboard, ready to be pasted somewhere else.

Here is an example;

Donate:

Steps to enable MSDTC on Windows Server

These steps can be used on windows Server 2008 r2 and Windows Server 2012 R2

  1. Click Start, click Run, type dcomcnfg and then click OK to open Component Services.
  2. In the console tree, click to expand Component Services, click to expand Computers, click to expand My Computer, click to expand Distributed Transaction Coordinator and then click Local DTC.
  3. Right click Local DTC and click Properties to display the Local DTC Properties dialog box.
  4. Click the Security tab.
  5. Check mark “Network DTC Access” checkbox.
  6. Finally check mark “Allow Inbound” and “Allow Outbound” checkboxes.
  7. Click ApplyOK.
  8. A message will pop up about restarting the service.
  9. Click OK and That’s all.

Reference : https://msdn.microsoft.com/en-us/library/dd327979.aspx

Sometimes the network firewall on the Local Computer or the Server could interrupt your connection so make sure you create rules to “Allow Inbound” and “Allow Outbound” connection for c:\windows\msdtc.exe