How to enable Remote Desktop on Azure Cloud Service

-

Azure Cloud Service is one of the very useful PAAS (Platform-As-A-Service) offerings that Azure provides to deploy your Worker Role or Web Role into the cloud VM(s). So you can control the scalability, reliability, and cost anticipated for your application. 

You can access your service remotely if you expose your Web Role endpoints. However, this post is about how you enable remote desktop access to your cloud service VM(s) secured manner. 

There are two ways of enabling the Remote Desktop feature on your cloud service.

- Azure Portal configuration (UI)

- Cloud Definition and Configuration (code deployment)

This is the link to enable RDP using the Azure Portal. Here in this post, we are more focused on how to enable RDP from the code.

Pre-requisites:

- Azure SDK

- Azure Portal Access

- Cloud Service Solution for testing 

Steps:

Open your cloud solution and locate the below files

- ServiceConfiguration.cscfg 

- ServiceDefinition.csdef

In your ServiceDefinition file, you need to define the modules that need to import in order to support remote desktop support.

<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="YourCloudServiceName" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6">
<WorkerRole name="YourCloudServiceRoleName" vmsize="Standard_D2_v2">
<Runtime executionContext="elevated">
<Environment>
<Variable name="COR_ENABLE_PROFILING" value="1" />
<Variable name="COR_PROFILER" value="{324F817A-7420-4E6D-B3C1-143FBED6D855}" />
<Variable name="MicrosoftInstrumentationEngine_Host" value="{CA487940-57D2-10BF-11B2-A3AD5A13CBC0}" />
</Environment>
</Runtime>
<LocalResources>
<LocalStorage name="NETFXInstall" sizeInMB="1024" cleanOnRoleRecycle="false" />
</LocalResources>
<ConfigurationSettings>
<!-- <Setting name="AdditionalSettings" value="ConfigValue" /> -->
</ConfigurationSettings>
<Endpoints>
<InputEndpoint name="WebEndpoint" protocol="https" port="443" localPort="443" certificate="myservice.cloudservice.com" />
<InternalEndpoint name="InterroleMessaging" protocol="tcp" />
</Endpoints>
<Certificates>
<Certificate name="myservice.cloudservice.com" storeLocation="LocalMachine" storeName="My" />
</Certificates>
<Startup>
<Task commandLine="AppInsightsAgent\InstallAgent.bat" executionContext="elevated" taskType="simple">
<Environment>
<Variable name="ApplicationInsightsAgent.DownloadLink" value="http://go.microsoft.com/fwlink/?LinkID=522371" />
<Variable name="RoleEnvironment.IsEmulated">
<RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" />
</Variable>
</Environment>
</Task>
<Task commandLine="install.cmd" executionContext="elevated" taskType="simple">
<Environment>
<Variable name="PathToNETFXInstall">
<RoleInstanceValue xpath="/RoleEnvironment/CurrentInstance/LocalResources/LocalResource[@name='NETFXInstall']/@path" />
</Variable>
<Variable name="ComputeEmulatorRunning">
<RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" />
</Variable>
</Environment>
</Task>
</Startup>
<Imports>
<Import moduleName="Diagnostics" />
<Import moduleName="RemoteAccess" />
<Import moduleName="RemoteForwarder" />
</Imports>
</WorkerRole>
</ServiceDefinition>

Once you have the import definitions in place you need to generate a password by encrypting using a certificate. 

Before encrypting your password you need to check if you have a valid certificate that can be used for this purpose. 

When you installed the Azure SDK on your development environment you will see the CSEncrypt.exe tool in the below location. C:\Program Files\Microsoft SDKs\Azure\.NET SDK\<<Version you installed>>\bin>CSEncrypt.exe

When you execute the below command you can see the certificates available in your local for encryption. 

>CSEncrypt Get-PasswordEncryptionCertificate

If you want a custom certificate you can create a new certificate and upload it to the cloud service. Here is how you can create a new certificate. 

>CSEncrypt New-PasswordEncryptionCertificate -FriendlyName myservice.cloudservice.com

So this command will generate the certificate so you can get the certificate thumbprint for password encryption. 

You can encrypt the password by using the below command. 

>CSEncrypt Encrypt-Password -Output C:\RemoteDesktopPassword.txt -Thumbprint 39B87E114AA34777E4C24E4BBDC2CB094C6716CD

You can provide your password and confirm so it will write the encrypted password into C:\RemoteDesktopPassword.txt file. Or you can execute the same command without the -Output parameter so you can see the encrypted password on the command prompt. 

Once you have done the above steps you can proceed with the cloud service configurations on the ServiceConfiguration.cscfg file. 

<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="YourCloudServiceName" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="4" osVersion="*" schemaVersion="2015-04.2.6">
<Role name="YourCloudServiceRoleName">
<Instances count="1" />
<ConfigurationSettings>
<!-- <Setting name="AdditionalSettings" value="ConfigValue" /> -->
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="remoteadminsuer" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword"
value="MIIBvgYJKoZIhvcNAQcDoIIBrzCCAasCAQAxggFvMIIBawIBADBTMD8xPTA7BgNVBAMMNFdpbmRv
d3MoUikgQXp1cmUoVE0pIEVuY3J5cHRpb24gVG9vbCB2ZXJzaW9uIDIuOC4wLjACEDE664Bp43mg
SVXfEgck/9YwDQYJKoZIhvcNAQEBBQAEggEAex8KvAIXbS5AXdNYSzX0NdTHsH0uee4STkQ4IaMP
+9B/+xXlWuXPEEOsvX4z2TFEuz0uZJJe9pc2VtO+jMGqPjTckvb4L1g5HpOa5kWBuT9hl3yC45xY
Xw1iIYIyMHiPTz/2ZOIc88ccTKhpSKe6tL0Rdab383vuUasqVGtgwx9GW6w3Rm5d/QjJ7pkb6ypw
vKpvSWROSIDctNrYBwfiV3iaGKad30J0QYo04Ozj1Vt6LWTfa3CvW6yhPxpPxJMW8ebiBEfFJYeA
Z/35YXvcOyOucHt9ICBHXSOUuSLe+rJ53Xf/GpL21lZYhK/nFG4WfuwF/oAmhFYejgAJWht0QzAz
BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECAuH2qprQsnGgBBmeRxru2d0cY666dZ5FQDy" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="2020-10-20T23:59:59.0000000-05:00" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="myservice.cloudservice.com" thumbprint="39B87E114AA34777E4C24E4BBDC2CB094C6716CD" thumbprintAlgorithm="sha1" />
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="39B87E114AA34777E4C24E4BBDC2CB094C6716CD" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>

Note: You need to use the encrypted password for the Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword key. 

You can specify the expiration date for the RDP account if needed or you can provide the certificate expiration date as well.

That's all. Once you have the certificate uploaded to the service you can deploy the service. Once the cloud service is deployed successfully you can remote into the VM.

Moreover, you can create an RDP file by saving the below content as *.rdp extension. 

full address:s:yourservicename.cloudapp.net
username:s:remoteadminuser
LoadBalanceInfo:s:Cookie: mstshash=YourCloudServiceRoleName#YourCloudServiceRoleName_IN_0

That's all. Hope this helps. 

Cheers!!  

Comments

Post a Comment

Popular posts from this blog

Dependency Injection for Azure Function

-
Enabling dependency injection on your Azure Function a little bit different than the usual process like you do on the .Net Core applications. Here I'm planning to share some tips and steps you should follow if you need to enable DI on Azure Functions with C#. I'm focusing on a function application created for HTTP Trigger. When you create a new project you will see a static class and method to run your function end-point.  1 2 3 4 5 6 7 8 9 10 11 public static class FunctionWithDI { [FunctionName("function-with-di")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ILogger log) { log.LogInformation( "C# HTTP trigger function processed...
Read more

Dependency Injection for .Net Core console application

-
Image
As many organizations are now migrating their on-premise applications to the cloud platform now there are many requirements to convert legacy .Net application written in .Net Fullframework to .Net Core.  In this article, I want to share a simple way to enable the .Net core dependency injection, especially on a console application. If you create a new Asp .Net Web API or Web App the project scaffolding template will provide you the initial code for dependency injection. But console applications you will need to do as below. First I will start by creating a new project. I use the visual code terminal to create a new project called "sample-console-app" so the project name will be constructing from the directory name where you execute the below command.  > dotnet new console The above command will create you the project and you will see your project view like below. You can run the below commands to restore dependencies and run the application. > dotnet restore > dotn...
Read more