Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,239 questions
Hello Gabriel Moraes
You can check Event Viewer to see RDP logon errors
- Security log.
- Look for events related to “Logon failure” or other relevant events.
- Filter the events by Event ID.
- For “Logon failure,” see Event ID is 4625.
- Review Event Details:
- Review the System and Application logs in the Event Viewer as well for any relevant events.
Also for Server 2019 and 2022, relevant "Logon type = 10" (the type for Terminal Server logins) entries being logged in the Security event log under event 4624.
You see, when you attempt to logon to an RDP session, the security provider behind the logon process called CredSSP decides whether to employ Kerberos or NTLM to verify your identity to the remote computer.
If Kerberos is available for which you need direct line of sight towards the Domain Controller, CredSSP attempts to verify your credential with the Domain Controller.
If the password provided is wrong, the Domain Controller logs an Event ID 4771 - Kerberos PreAuthentication Failed. If Kerberos is not avaialble, CredSSP falls back to NTLM and attempts to verify your credential directly with the remote computer which in turn relays the credential verification to the Domain Controller.
If, in this case, the password provided is wrong, the remote computer logs an Event ID 4625 - Logon Failed and the Domain Controller logs an Event ID 4776 - Credential Validation Failed.