I'm trying to check some Windows Services in an Azure VM using an Automation Account with managed identity using a Powershell script.
Basically I'm trying to use the New-PSsession -computerName VM1 command
$VMS = @('VMINT01p', 'VMINT02p', 'VMINT03p', 'VMINT04p')
Foreach ($VM in $VMS)
{
$testSession = New-PSsession -ComputerName $VM -ErrorAction Stop
if(-not($testSession))
{
write-host "Failed to connect to $VM"
Throw "Unable to remote..."
}
else
{
write-host "Connected to $VM"
}
}
but I'm getting the following error:
System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
I already gave the automation account managed identity Virtual Machine Administrator Login, but I'm wondering if that is the correct permissions to get this to work with the automation account.
I'm able to run this script under my own credentials, but I have the admin group permission in the indows OS.
CodePudding user response:
I hope you are doing the correct way to connect Azure VM using PowerShell.
Please check the below steps once if you are following the same:
Prerequisites
# Install AzureRM PowerShell module to connect to Azure VMs
Install-Module AzureRM
# Verify the WinRM service is running on your local machine
Start-Service WinRM
# Add the VM's public IP address to the trusted hosts of the local machine
Set-Item WSMan:\<localhost>\Client\TrustedHosts -Value <Public IP address of the VM>
Open the ports in the network security group
Open your WinRM (Windows Remote Management) HTTP and HTTPS ports on NSG associated with VM.
Commands to retrieve the NSG to add rules are below:
Get-AzureRmNetworkSecurityGroup -Name <NSGNAME> -ResourceGroupName <ResourceGroupName>
Add the NSG Config Rule to connect VM
Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access <Allow/Deny> -Protocol <Protocal_type = Tcp> -Direction <Inbound/Outbound> -Priority <102> -SourceAddressPrefix <SrcAddPrefix = Internet> -SourcePortRange <port range = *> -DestinationAddressPrefix <DestAddPrefix = *> DestinationPortRange <Port you want to use 5986>
save rule in NSG
Set-AzureRmNetworkSecurityGroup
To access the VM using PowerShell
- Enable WinRM on the VM
- Open the required WinRM firewall ports on the VM (if the local Windows Firewall is activated).
Create an empty PowerShell script on local
New-Item -ItemType File -Path C:\<fileName>.ps1
Add/Store the tasks in the file which you want to do in VM.
$Content = "winrm qc /force
netsh advfirewall firewall add rule name= WinRMHTTP dir=in action=allow protocol=TCP localport=5985
netsh advfirewall firewall add rule name= WinRMHTTPS dir=in action=allow protocol=TCP localport=5986"
Add tasks to the PowerShell script
Add-Content C:\<fileName>.ps1 $Content
Run script inside the VM using the VMRunCommand.
Invoke-AzureRmVMRunCommand -ResourceGroupName <ResourceGroupName> -Name <name> -CommandId 'RunPowerShellScript' -ScriptPath C:\<fileName>.ps1
Remove the script (because we don't need it anymore)
Remove-Item C:\<fileName>.ps1
Connect to VM using PowerShell
From here you can able to connect the VM's.
Enter-PSSession -ComputerName <The public IP address of the VM>
Refer here for more information.
PowerShell to connect VMs with Azure PSRemoting