After latest update, I am unable to remote desktop via Bastion into my Windows servers

Hello

Sorry for the inconvenience. Just to be explicit - are you talking about Azure Bastion?

Thanks and kind regards,

Hello

Sorry for the inconvenience. Just to be explicit - are you talking about Azure Bastion?

Thanks and kind regards,

@Richard Markiewicz
Yes sir. Sorry for not being more clear.

Hello

Ok, thanks for that; and since you mention Windows servers I assume you're using RDP.

Do you know which version of RDM you updated from? Help > About > Update History should have that information if you're not sure.

We haven't had any changes for Azure Bastion recently on our side, but I can't rule out another bug or regression causing a problem. However I also haven't had any other similar reports. In the past there have also been changes on the Microsoft side that have broken things for some users (sometimes only in certain regions). So I'm afraid I need to ask for some troubleshooting on your side.

• In your Azure Bastion configuration, what do you have for "Connection mode"? If it's "Default", what do you have in File > Settings > Entry Types > VPN/Tunnel/Gateway > Azure Bastion > Connection mode?
• Specifically what's the error or errors you get when you fail to connect? A screenshot is fine if possible.
• Please go to Help > Performance Profiling, switch to the "Debug Only" tab and set the "Debug Level" to 131. Leave the profiler window open and reproduce the problem. Then, send me the output from the profiling window (you can send it to me by PM here on the forum).

Once again, sorry for the inconvenience. Please let me know if something isn't clear or you have further questions

Kind regards

Hey Richard,

I am open to suggestion. It could very well be my fault. Here is screenshot for upgrade history:

Here is the connection mode:
Here is the error message:
I will PM you the trace now.

Thanks,

Ryan

Hello

Thanks for the information, unfortunately it doesn't reveal much. It's not clear to me right now if this is a problem on the Bastion side or a general regression in RDM. I'll probably have to ask my lab team to spin up a Bastion and do some testing on my side.

It would be helpful to know, briefly, how you have Bastion set up in RDM. I see you're using IP-based connections. Do you have the Bastion settings defined directly inside the RDP session(s)? Or do you have a Bastion entry(ies) that are linked to your RDP session(s)? If that's the case, how is it defined - do you link the Bastion to a folder and inherit the VPN, or link directly to the RDP session(s)? When you try to connect are you prompted to authenticate?

Thanks for whatever details you can provide

Kind regards,

Hello again

Ok, I've done some investigation here and different Bastion scenarios are working well on my side in 2025.3.29.

What I see from your trace is that we resolve the resource ID for the target host; the next step should be sending a REST call to Azure to get the hostname for the Bastion, but that isn't happening, or rather it's probably throwing an error. Because you see "an unexpected error occurred" it's clearly not an error that we expect to handle, but the details should be logged and I'm surprised they don't show in the trace file. Do you see anything relevant if you check Help > Application Logs? If so, please share it here.

Otherwise the other suggestion I have is to check using Azure CLI directly. I don't know if you have Azure CLI installed or are familiar with it; let me know if you need more details but the command you want is something like this

az network bastion rdp --disable-gateway --name {name-of-bastion-host} --subscription {subscription-id-for-bastion} --resource-group {resource-group-for-bastion} --resource-port 3389 --target-ip-address {server-ip-address}

That does assume that you're using IP connect which based on your logs, I think you are.

The result should be that Az starts a tunnel through Bastion to the remote machine on port 3389. Let me know if it works or you have errors.

Thanks and kind regards,

Hey Richard,

Sorry for the delay. Here is one in the application log to help:
One or more errors occurred. (Unable to retrieve authentication token) (System.AggregateException: One or more errors occurred. (Unable to retrieve authentication token)
---> Devolutions.Az.AzAuthException: Unable to retrieve authentication token
---> Azure.Identity.AuthenticationFailedException: The ChainedTokenCredential failed due to an unhandled exception: Azure PowerShell authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/powershellcredential/troubleshoot #< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">_x001B_[31;1mGet-AzAccessToken: _x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1mLine |_x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1m_x001B_[36;1m 25 | _x001B_[0m $token = _x001B_[36;1mGet-AzAccessToken @params_x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1m_x001B_[36;1m_x001B_[0m_x001B_[36;1m_x001B_[0m_x001B_[36;1m | _x001B_[31;1m ~~~~~~~~~~~~~~~~~~~~~~~~~_x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1m_x001B_[36;1m_x001B_[0m_x001B_[36;1m_x001B_[0m_x001B_[36;1m_x001B_[31;1m_x001B_[31;1m_x001B_[36;1m | _x001B_[31;1mAuthentication failed against resource https://management.azure.com/. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). Please rerun 'Connect-AzAccount' with additional parameter '-AuthScope https://management.azure.com/'._x001B_[0m_x000D__x000A_</S></Objs>
---> Azure.Identity.AuthenticationFailedException: Azure PowerShell authentication failed due to an unknown error. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/powershellcredential/troubleshoot #< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><S S="Error">_x001B_[31;1mGet-AzAccessToken: _x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1mLine |_x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1m_x001B_[36;1m 25 | _x001B_[0m $token = _x001B_[36;1mGet-AzAccessToken @params_x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1m_x001B_[36;1m_x001B_[0m_x001B_[36;1m_x001B_[0m_x001B_[36;1m | _x001B_[31;1m ~~~~~~~~~~~~~~~~~~~~~~~~~_x001B_[0m_x000D__x000A_</S><S S="Error">_x001B_[31;1m_x001B_[36;1m_x001B_[36;1m_x001B_[0m_x001B_[36;1m_x001B_[0m_x001B_[36;1m_x001B_[31;1m_x001B_[31;1m_x001B_[36;1m | _x001B_[31;1mAuthentication failed against resource https://management.azure.com/. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). Please rerun 'Connect-AzAccount' with additional parameter '-AuthScope https://management.azure.com/'._x001B_[0m_x000D__x000A_</S></Objs>
at Azure.Identity.AzurePowerShellCredential.RequestAzurePowerShellAccessTokenAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.AzurePowerShellCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage, Boolean isCredentialUnavailable)
at Azure.Identity.AzurePowerShellCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
at Azure.Identity.AzurePowerShellCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.ChainedTokenCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Azure.Identity.ChainedTokenCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
at Azure.Identity.ChainedTokenCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Devolutions.RemoteDesktopManager.Business.AzureCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Devolutions.RemoteDesktopManager.Business.AzureAuthenticator.GetToken(String scope, CancellationToken cancellationToken, TokenAuthenticatorOptions options)
at Devolutions.Az.BaseClient.TryGetToken(String scope, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Devolutions.Az.BaseClient.TryGetToken(String scope, CancellationToken cancellationToken)
at Devolutions.Az.Bastion.Client.GetHost(String subscriptionId, String resourceGroupName, String bastionHostName, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Devolutions.RemoteDesktopManager.Business.VPNOpeners.VPNAzureBastionOpener.<>c__DisplayClass6_0.<DoOpen>b__0())

Thanks,

Ryan

Hi Ryan

Thanks for that. What options do you have chosen for authentication for the Azure Bastion settings in RDM? Are you expecting to use the current PowerShell login (which seems to be failing)? Or do you have multiple options checks but you're expecting to login via your browser?

Thanks and kind regards,

Hey Richard,
I will attach my authentication method with this reply. I am for sure expecting to use current powershell login and I do not login via browser.

Hi Ryan

Ok that really helps. We've certainly updated the Microsoft library that provides those options in this time frame, and I haven't tried it. Let me see what I can find, but that's certainly the problem.

On your side, could you try what the error message is suggesting and let me know if it helps?

Authentication failed against resource https://management.azure.com/. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). Please rerun 'Connect-AzAccount' with additional parameter '-AuthScope https://management.azure.com/'

Thanks and kind regards,

Hello again

I did a quick test on my side and all that was needed was to run `Connect-AzConnect` again in PowerShell.

Please let me know if that resolves things for you. That being the case, I will work on improving the error message reported by RDM. But I'd like confirmation that there aren't some other issues as well before changing that.

Thanks and kind regards,