Az Network Bastion Rdp not connecting

Hi Cole Duprey,

Thanks for reaching out in Microsoft Q&A forum,

The certificate mismatch in Azure Bastion RDP with AAD auth stems from the Windows VM's self-signed RDP listener certificate being generated with the private IP as its Common Name (CN) or Subject Alternative Name (SAN), rather than the hostname Bastion expects during connection. This mismatch triggers the error since Bastion passes the correct hostname, but the VM can't validate it against its cert. Your working setup in the other subscription probably has VMs where the RDP cert auto-generated properly with hostname details, likely due to consistent imaging, naming conventions, or Group Policy differences.

Steps:

• Regenerate RDP cert on the VM: Connect via Bastion browser or serial console, open PowerShell as admin, and run: Stop-Service -Name "SessionEnv" -Force; Get-ChildItem -Path Cert:\LocalMachine\Remote Desktop | Remove-Item -Force; Start-Service -Name "SessionEnv". Restart the VM to force a new self-signed cert with proper hostname binding ​.
• Custom cert deployment: Create one explicitly with New-SelfSignedCertificate -DnsName "vmhostname.domain.com" -CertStoreLocation "Cert:\LocalMachine\My", note the thumbprint, then bind via wmic /namespace:\\root\Microsoft\Windows\RDInfrastructure Path Win32_TSGatewayServerRole set SSLCertificateSHA1Hash="THUMBPRINT". Restart Remote Desktop Services.​
• RDP file workaround: Use az network bastion rdp --configure to download the file, edit address or gatewayhostname to the private IP, and connect bypasses hostname validation temporarily.​
• Verify VM config: Run hostname to confirm it matches your Bastion command; check Entra ID device join status and ensure Bastion is Standard SKU for full AAD support.

Reference:

• Troubleshoot Azure Bastion | Microsoft Learn
• An internal error occurs when you make an RDP connection to Azure Virtual Machines - Virtual Machines | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

The certificate mismatch error you are experiencing when using Azure Bastion with AAD authentication could be due to several reasons. Here are some suggestions to troubleshoot the issue:

1. Certificate Configuration: Ensure that the certificate installed on the target virtual machine is correctly configured. The certificate should match the hostname of the VM and not the private IP address. You can verify this by checking the properties of the RDP-Tcp connection in the Terminal Services Configuration or RD Session Host Configuration.
2. DNS Resolution: Check if the DNS resolution is functioning correctly. If the hostname resolves to the private IP address, ensure that the DNS settings are correctly configured in your Azure environment.
3. Network Security Group (NSG) Rules: Verify that the NSG rules associated with your virtual machine allow traffic on the required ports, particularly port 3389 for RDP.
4. Different Subscription Settings: Since you mentioned that the same setup works in another subscription, compare the configurations of both subscriptions. Look for differences in network settings, NSG rules, or certificate configurations that might affect the connection.
5. Recreate the Certificate: If the issue persists, consider recreating the certificate and ensuring it is correctly uploaded to the Azure portal and associated with the VM.

If these steps do not resolve the issue, you may want to consult Azure support for further assistance.

References:

• RDP not working for classic cloud service resource
• Intermittent connection failures when using Remote Desktop Protocol