How to PSSession VM from Resource Manager? - powershell

I have VMs in Resource Manager and I want to do remote PowerShell scripting from runbook these VMs. I already know how to do it in classic virtual machines and use with success.
Now, is remote PowerShell over SSL with a certificate enabled by default on Azure VMs created with the Azure Resource Manager? How do I connect with Enter-PSSession or Invoke-Command?
I tried this code without success.
Enter-PSSession -ComputerName <public-IP> -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)
And I got this error
Enter-PSSession : Connecting to remote server <public-IP> failed with the following error message : The WinRM client
cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not
joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts
configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not
be authenticated. You can get more information about that by running the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
Note: That I am running this with Powershell Runbook in Azure Automation.
and tried the suggested answer here

You need to put a cert in Azure Key Vault (plus some other steps) to enable WinRM to ARM VMs. Then you need to do the same thing as in the Connect-AzureVM runbook, but using this cert instead of the Azure Classic VM's cert, to set up trust between the hosts.
See this thread for more details on the steps required. This may be useful as well.

Related

WinRM error while connecting to remote server using powershell [duplicate]

I successfully enabled PSRemoting on my Server 2008 R2.
I'm able to do a remote-pssession from within the same network using the hostname as target.
I'm failing when I try to use the IP-Address as target from any computer (within the network or from another network (for example via VPN)).
I want to be able to use remoting through my VPN connection where I have to use the IP-Address since the hostname can't be resolved.
I don't want to add names into my hosts-file because there are a few other servers at our clients' that have the same dns-name and I don't want to remove and insert the name-ip-address-association again and again.
I hope someone can tell me how to allow the psremoting-target to be called via IP.
Edit: To be more specific, I want to be able to run this:
Enter-PSSession -Computername 192.168.123.123 -credentials $cred
But I'm only able to run that command if I pass a hostname to "-Computername"
Edit2:
I'm getting following errormessage when I try to login using the ip instead of the hostname (from the internal network):
Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process
the request. Default authentication may be used with an IP address under the following conditions: the transport is HT
TPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure T
rustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to se
t TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
Edit3:
I know about the trusted-hosts setting of WSMan, but that doesn't seem to be the problem. It is already set to "*" (I did that right after enabling remoting), but I still can't connect to that server using the ip as target-computername, but I'm able to connect using the hostname as target-computername. Seems like there's something like the binding in IIS that prevents the listener to listen on requests that target the ip-number instead of the hostname. But IIS isn't installed. I don't know where to look for such a setting.
Update 2011-07-12:
Okay, I think that trustedhosts-setting is not the problem because I CAN connect from our DC via hostname but not if I use the ip-address of the destination for the computer-param.
I think, the problem must be the listener. Maybe the listener takes no requests that were targeted to the destination-ip instead of the destination-hostname. But I don't know how to change that.
The error message is giving you most of what you need. This isn't just about the TrustedHosts list; it's saying that in order to use an IP address with the default authentication scheme, you have to ALSO be using HTTPS (which isn't configured by default) and provide explicit credentials. I can tell you're at least not using SSL, because you didn't use the -UseSSL switch.
Note that SSL/HTTPS is not configured by default - that's an extra step you'll have to take. You can't just add -UseSSL.
The default authentication mechanism is Kerberos, and it wants to see real host names as they appear in AD. Not IP addresses, not DNS CNAME nicknames. Some folks will enable Basic authentication, which is less picky - but you should also set up HTTPS since you'd otherwise pass credentials in cleartext. Enable-PSRemoting only sets up HTTP.
Adding names to your hosts file won't work. This isn't an issue of name resolution; it's about how the mutual authentication between computers is carried out.
Additionally, if the two computers involved in this connection aren't in the same AD domain, the default authentication mechanism won't work. Read "help about_remote_troubleshooting" for information on configuring non-domain and cross-domain authentication.
From the docs at http://technet.microsoft.com/en-us/library/dd347642.aspx
HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND
-----------------------------------------------------
ERROR: The WinRM client cannot process the request. If the
authentication scheme is different from Kerberos, or if the client
computer is not joined to a domain, then HTTPS transport must be used
or the destination machine must be added to the TrustedHosts
configuration setting.
The ComputerName parameters of the New-PSSession, Enter-PSSession and
Invoke-Command cmdlets accept an IP address as a valid value. However,
because Kerberos authentication does not support IP addresses, NTLM
authentication is used by default whenever you specify an IP address.
When using NTLM authentication, the following procedure is required
for remoting.
1. Configure the computer for HTTPS transport or add the IP addresses
of the remote computers to the TrustedHosts list on the local
computer.
For instructions, see "How to Add a Computer to the TrustedHosts
List" below.
2. Use the Credential parameter in all remote commands.
This is required even when you are submitting the credentials
of the current user.
Try doing this:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
I test your assertion in my infrastructure the IP address is not the problem the following works for me :
PS C:\Users\JPB> hostname
JPBCOMPUTER
PS C:\Users\JPB> Enter-PSSession -ComputerName 192.168.183.100 -Credential $cred
[192.168.183.100]: PS C:\Users\jpb\Documents>
[192.168.183.100]: PS C:\Users\jpb\Documents> hostname
WM2008R2ENT
If you try to work accross a VPN you'd better have to have a look to the firewall settings on the way to your server. Installation and Configuration for Windows Remote Management can help you. The TCP port WinRM is waiting on are :
WinRM 1.1 and earlier: The default HTTP port is 80.
WinRM 2.0: The default HTTP port is 5985.
Edited : According to your error can you test this on youclient computer :
Set-Item WSMan:\localhost\Client\TrustedHosts *
The guys have given the simple solution, which will do be you should have a look at the help - it's good, looks like a lot in one go but it's actually quick to read:
get-help about_Remote_Troubleshooting | more
On your machine* run 'Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$ipaddress"
*Machine from where you are running PSSession
On Windows 10 it is important to make sure the WinRM Service is running to invoke the
command
* Set-Item wsman:\localhost\Client\TrustedHosts -value '*' -Force *
For those of you who don't care about following arbitrary restriction imposed by Microsoft you can simply add a host file entry to the IP of the server your attempting to connect to rather then use that instead of the IP to bypass this restriction:
Enter-PSSession -Computername NameOfComputerIveAddedToMyHostFile -credentials $cred
Please try the following on the client:
Run the following command to restore the listener configuration:
winrm invoke Restore winrm/Config
Run the following command to perform a default configuration of the Windows Remote Management service and its listener:
winrm quickconfig
After you configured winrm again, make sure host is trusted:
Set-Item wsman:\localhost\Client\TrustedHosts -value "$ipaddress" -Force
Try remote connect again
Reference
Configure winrm for HTTPS
I spend a great amount of time and finally got the solution. Following are the steps to do fix this -
Go to Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings in control panel
Make sure machine discovery in domain and guest is ON.
Open powershell in administrator mode on client machine and run winrm quickconfig and winrm set winrm/config/client '#{TrustedHosts="*"}'
As Don touched on this, here is more info
Using the IP is Kerberos authentication problem
If you are on a AD Domain and need a more elegant solution than allowing NTLM and trusted hosts: https://learn.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
" Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.
By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address. It will fall back to other enabled authentication protocols like NTLM. "
Note that there might be GPOs limiting / disabling NTLM in the domain - since this can be a security risk
To check run "RSOP".
GPOs are under: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/Security Options > Network Security
Allowing basic auth and allowing "*" in Trusted hosts makes me cringe a bit :)
GL HF

Cannot connect to server using Enter-PSSession

I'm quite new to PowerShell and am trying to write a script that connects to our web server from our db server and pulls a file across. Unfortunately I'm hitting hurdles straight out of the gate with the following error when trying to use the Enter-PSSession cmdlet:
http://imgur.com/jzpmV6z
I can confirm that PowerShell on the web server is set up and ready to receive connections:
http://imgur.com/o3g4bxK
I am at a loss as to what to check now. Any help would be greatly appreciated.
EDIT: Just to confirm, I am able to RDP into the web server from the db server fine.
If you are not using domain joined Machines and domain user accounts you will need to add the destination server to your trusted hosts list
Set-Item WSMan:\LocalHost\Client\TrustedHosts\ -Value "192.168.100.234"
You should check if you have machines add first
Get-Item WSMan:\Localhost\Client\TrustedHosts
if you do you will need to append the new ipaddress or the pervious values will be overwritten.
You should also check the network profiles on both machines. Powershell remoting will not work with the network profile set to Public.
EDIT:
You need to run: Enable-PsRemoting not winrm qc to allow powershell remoting
winrm is only half the puzzle.
Hello. dont Have a reputation to post a comment, so read some info
heare. If you have a domain you can try to do this: In the group
policy mmc: Policies/Administrative Templates /Windows
Components/Windows Remote Management (WinRM)/WinRM Service
Allow Remote Server management through WinRM
Set the Policy to Enabled.
Set the IPv4 and IPv6 filters to *
enter link description here
Or you can try to do something like this:
On local host and remote PC
Set-ExecutionPolicy remotesigned -Scope CurrentUser -Force| Out-Null
winrm qc -q| Out-Null

How to Programmatically Set Up Powershell Remoting on an Azure VM

My goal is to write a Powershell script that will run New-AzureRmResourceGroup and New-AzureRmResourceGroupDeployment in order to provision a resource group according to an ARM .json template file. Said resource group includes a virtual machine, virtual network, network security group, public IP address, network interface attached to the virtual machine, and two storage accounts. After that, I want the same script to go on and copy a specific program installer to the virtual machine in that resource group and run that installer, automatically without further user interaction. However, I can't seem to begin a remote Powershell session with the virtual machine. I run the command:
$sess = New-PSSession -ComputerName **.***.**.*** -Port XXXX -Credential $cred
where the *s are the IP address of the Virtual Machine; XXXX is the Port that is open for RDP according to the Network Security Group associated with the virtual network that the Virtual Machine is on; and $cred contains the credentials of the admin user on the Virtual Machine.
The command always returns an error:
New-PSSession : [**.***.**.***] Connecting to remote server **.***.**.*** failed with the following error message :
The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
Note that I did make sure to add the Virtual Machine's IP address to the list of Trusted-Hosts on my local machine. (Until I did that, I got a different error message.) Also, I am able to connect to the Virtual Machine if I click on its Connect button in the Azure portal and then click on the .rdp file that's downloaded. This remote session uses the same IP address, port, and credentials as the one I'm trying and failing to set up in Powershell. This is what I don't understand.
Why does that happen? Is there some additional work I need to do to prepare the VM for accepting remote Powershell sessions? Is there any way to configure it in the ARM template so that the VM will be ready to accept them from the get-go? (It would be difficult if I need to run some commands on the VM to set Powershell remoting up, since I can't Powershell remote in to run them because of this very problem. Maybe I could run them as a custom script extension?)
Final notes: This VM is "new" style, not "classic" style. I know there is lots of documentation out there for "classic" style Azure VMs, but that's not what I'm working with. Also, even after running winrm quickconfig on the VM as the error suggested, and enabling administrative rights remotely to local users, I get the same error when I run New-PSSession.
Open up 5985-5986 on your NSG
Drop the port part on your command:
$sess = New-PSSession -ComputerName ... -Credential $cred
WinRM endpoint is set up automatically for new VM's (if you don't somehow override it). But you need to open 5985 for nonsecure and 5986 for secure remoting

Azure Powershell Runbook - Invoke commands on remote VM (ARM a.k.a. V2)

What I need
I want to have an automation runbook that executes commands on a remote VM (the VM is a V2 or "Resource Manager" VM).
I found examples to make that work with Classic VMs but I can't make it work for RM VMs (best I found: https://alexandrebrisebois.wordpress.com/2015/08/14/azure-automation-remote-powershell-and-a-virtual-machine/).
Does anybody have an example of running powershell commands on a remote V2 VM in an automation runbook?
Where I'm stuck currently
I have tried to adjust the 2nd piece of the example code (the part that invokes the command) and I get the following error:
[vm-template] Connecting to remote server vm-template failed with the following error
message : The WinRM client cannot process the request. If the authentication scheme is
different from Kerberos, or if the client computer is not joined to a domain, then HTTPS
transport must be used or the destination machine must be added to the TrustedHosts
configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the
TrustedHosts list might not be authenticated. You can get more information about that by
running the following command: winrm help config. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (vm-template:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : ServerNotTrusted,PSSessionStateBroken
My understanding is that since I am not using Kerberos (don't even know what that is) I must use HTTPS. And for that I must do the first half of the example code, which is about importing the certificate (importing where btw since the runbook runs "in azure"?).
I found some pages that explain how to enable HTTPS (Connecting to remote server failed using WinRM from PowerShell) and create the certificate (http://www.jayway.com/2011/11/21/winrm-w-self-signed-certificate-in-4-steps/) but they require some commands to be run on BOTH machines ; I certainly can run commands on my remote VM but I don't understand how I could do it for the client machine which does not really exist since the runbook is running directly in azure.
Any help is greatly appreciated, thanks!
Is your network security group configured to open port 5985 (winrm http port) or 5986 if using https? You also might need a public IP, if you plan on using winrm not from Azure automation. You should also be able to use http, so I think the error you're seeing is a generic failure to connect error.
Note: by default, winrm over http and the listener should be set up and listening on your machines. winrm uses message level encryption, so it's not completely in plaintext. You can verify with:
winrm e winrm/config/listener
Which should show you the listener with something like:
Listener [Source="GPO"]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 1.1.1.1
Once you've verified that, I would verify that you can connect to the remote machine using winrm from your own computer. You can easily do that with:
$username = '<admin-user>'
$pass = ConvertTo-SecureString -string '<password>' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username, $pass
Enter-PSSession -ComputerName <public-IP> -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)
Note that you may have to set your trusted hosts on your own computer to trust the Azure machine to create the winrm session. This can be done with something like:
Set-Item WSMan:localhost\Client\TrustedHosts -value * -Force
Note that you should use the Azure VM's actual name for security, not a wildcard.

Powershell remoting with ip-address as target

I successfully enabled PSRemoting on my Server 2008 R2.
I'm able to do a remote-pssession from within the same network using the hostname as target.
I'm failing when I try to use the IP-Address as target from any computer (within the network or from another network (for example via VPN)).
I want to be able to use remoting through my VPN connection where I have to use the IP-Address since the hostname can't be resolved.
I don't want to add names into my hosts-file because there are a few other servers at our clients' that have the same dns-name and I don't want to remove and insert the name-ip-address-association again and again.
I hope someone can tell me how to allow the psremoting-target to be called via IP.
Edit: To be more specific, I want to be able to run this:
Enter-PSSession -Computername 192.168.123.123 -credentials $cred
But I'm only able to run that command if I pass a hostname to "-Computername"
Edit2:
I'm getting following errormessage when I try to login using the ip instead of the hostname (from the internal network):
Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cannot process
the request. Default authentication may be used with an IP address under the following conditions: the transport is HT
TPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure T
rustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to se
t TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting
Help topic.
Edit3:
I know about the trusted-hosts setting of WSMan, but that doesn't seem to be the problem. It is already set to "*" (I did that right after enabling remoting), but I still can't connect to that server using the ip as target-computername, but I'm able to connect using the hostname as target-computername. Seems like there's something like the binding in IIS that prevents the listener to listen on requests that target the ip-number instead of the hostname. But IIS isn't installed. I don't know where to look for such a setting.
Update 2011-07-12:
Okay, I think that trustedhosts-setting is not the problem because I CAN connect from our DC via hostname but not if I use the ip-address of the destination for the computer-param.
I think, the problem must be the listener. Maybe the listener takes no requests that were targeted to the destination-ip instead of the destination-hostname. But I don't know how to change that.
The error message is giving you most of what you need. This isn't just about the TrustedHosts list; it's saying that in order to use an IP address with the default authentication scheme, you have to ALSO be using HTTPS (which isn't configured by default) and provide explicit credentials. I can tell you're at least not using SSL, because you didn't use the -UseSSL switch.
Note that SSL/HTTPS is not configured by default - that's an extra step you'll have to take. You can't just add -UseSSL.
The default authentication mechanism is Kerberos, and it wants to see real host names as they appear in AD. Not IP addresses, not DNS CNAME nicknames. Some folks will enable Basic authentication, which is less picky - but you should also set up HTTPS since you'd otherwise pass credentials in cleartext. Enable-PSRemoting only sets up HTTP.
Adding names to your hosts file won't work. This isn't an issue of name resolution; it's about how the mutual authentication between computers is carried out.
Additionally, if the two computers involved in this connection aren't in the same AD domain, the default authentication mechanism won't work. Read "help about_remote_troubleshooting" for information on configuring non-domain and cross-domain authentication.
From the docs at http://technet.microsoft.com/en-us/library/dd347642.aspx
HOW TO USE AN IP ADDRESS IN A REMOTE COMMAND
-----------------------------------------------------
ERROR: The WinRM client cannot process the request. If the
authentication scheme is different from Kerberos, or if the client
computer is not joined to a domain, then HTTPS transport must be used
or the destination machine must be added to the TrustedHosts
configuration setting.
The ComputerName parameters of the New-PSSession, Enter-PSSession and
Invoke-Command cmdlets accept an IP address as a valid value. However,
because Kerberos authentication does not support IP addresses, NTLM
authentication is used by default whenever you specify an IP address.
When using NTLM authentication, the following procedure is required
for remoting.
1. Configure the computer for HTTPS transport or add the IP addresses
of the remote computers to the TrustedHosts list on the local
computer.
For instructions, see "How to Add a Computer to the TrustedHosts
List" below.
2. Use the Credential parameter in all remote commands.
This is required even when you are submitting the credentials
of the current user.
Try doing this:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
I test your assertion in my infrastructure the IP address is not the problem the following works for me :
PS C:\Users\JPB> hostname
JPBCOMPUTER
PS C:\Users\JPB> Enter-PSSession -ComputerName 192.168.183.100 -Credential $cred
[192.168.183.100]: PS C:\Users\jpb\Documents>
[192.168.183.100]: PS C:\Users\jpb\Documents> hostname
WM2008R2ENT
If you try to work accross a VPN you'd better have to have a look to the firewall settings on the way to your server. Installation and Configuration for Windows Remote Management can help you. The TCP port WinRM is waiting on are :
WinRM 1.1 and earlier: The default HTTP port is 80.
WinRM 2.0: The default HTTP port is 5985.
Edited : According to your error can you test this on youclient computer :
Set-Item WSMan:\localhost\Client\TrustedHosts *
The guys have given the simple solution, which will do be you should have a look at the help - it's good, looks like a lot in one go but it's actually quick to read:
get-help about_Remote_Troubleshooting | more
On your machine* run 'Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$ipaddress"
*Machine from where you are running PSSession
On Windows 10 it is important to make sure the WinRM Service is running to invoke the
command
* Set-Item wsman:\localhost\Client\TrustedHosts -value '*' -Force *
For those of you who don't care about following arbitrary restriction imposed by Microsoft you can simply add a host file entry to the IP of the server your attempting to connect to rather then use that instead of the IP to bypass this restriction:
Enter-PSSession -Computername NameOfComputerIveAddedToMyHostFile -credentials $cred
Please try the following on the client:
Run the following command to restore the listener configuration:
winrm invoke Restore winrm/Config
Run the following command to perform a default configuration of the Windows Remote Management service and its listener:
winrm quickconfig
After you configured winrm again, make sure host is trusted:
Set-Item wsman:\localhost\Client\TrustedHosts -value "$ipaddress" -Force
Try remote connect again
Reference
Configure winrm for HTTPS
I spend a great amount of time and finally got the solution. Following are the steps to do fix this -
Go to Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings in control panel
Make sure machine discovery in domain and guest is ON.
Open powershell in administrator mode on client machine and run winrm quickconfig and winrm set winrm/config/client '#{TrustedHosts="*"}'
As Don touched on this, here is more info
Using the IP is Kerberos authentication problem
If you are on a AD Domain and need a more elegant solution than allowing NTLM and trusted hosts: https://learn.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip
" Beginning with Windows 10 version 1507 and Windows Server 2016, Kerberos clients can be configured to support IPv4 and IPv6 hostnames in SPNs.
By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address. It will fall back to other enabled authentication protocols like NTLM. "
Note that there might be GPOs limiting / disabling NTLM in the domain - since this can be a security risk
To check run "RSOP".
GPOs are under: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/Security Options > Network Security
Allowing basic auth and allowing "*" in Trusted hosts makes me cringe a bit :)
GL HF