AZURE VM LOGS

Gabriel Moraes 230 Reputation points
2024-04-30T11:46:47.4866667+00:00

Hello! I would like to understand a glitch that happens in my Azure VM sometimes and I can’t locate any log on.

Issue: When trying to log into the VM via RDP it simply opens the login screen, but does not log in, without errors, simply does not log in, only fails.
To fix I need to reapply the VM. Is there a free way for me to see the failure events of a VM?
Within the Event Viewer only "Logon failure" appears.

Any help, I appreciate it.

Best regards,

Gabriel Moraes.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,271 questions
{count} votes

Accepted answer
  1. Andriy Bilous 10,996 Reputation points MVP
    2024-04-30T19:52:56.51+00:00

    Hello Gabriel Moraes

    You can check Event Viewer to see RDP logon errors

    • Security log.
      • Look for events related to “Logon failure” or other relevant events.
      • Filter the events by Event ID.
      • For “Logon failure,” see Event ID is 4625.
    • Review Event Details:
      • Review the System and Application logs in the Event Viewer as well for any relevant events.

    Also for Server 2019 and 2022, relevant "Logon type = 10" (the type for Terminal Server logins) entries being logged in the Security event log under event 4624.

    thumbnail image 1 of blog post titled  RDP authentication failures not reflected in security log? Re: RDP authentication failures not reflected in security log? Re: RDP authentication failures not reflected in security log? Re: RDP authentication failures not reflected in security log? Re: RDP authentication failures not reflected in security log? Re: RDP authentication failures not reflected in security log? Re: RDP authentication failures not reflected in security log?

    You see, when you attempt to logon to an RDP session, the security provider behind the logon process called CredSSP decides whether to employ Kerberos or NTLM to verify your identity to the remote computer.

    If Kerberos is available for which you need direct line of sight towards the Domain Controller, CredSSP attempts to verify your credential with the Domain Controller.

    If the password provided is wrong, the Domain Controller logs an Event ID 4771 - Kerberos PreAuthentication Failed. If Kerberos is not avaialble, CredSSP falls back to NTLM and attempts to verify your credential directly with the remote computer which in turn relays the credential verification to the Domain Controller.

    If, in this case, the password provided is wrong, the remote computer logs an Event ID 4625 - Logon Failed and the Domain Controller logs an Event ID 4776 - Credential Validation Failed.

    https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/rdp-authentication-failures-not-reflected-in-security-log/m-p/3584187

    0 comments No comments

0 additional answers

Sort by: Most helpful