When deploying on Azure via REST API a VM with Windows2008-SQL-Server template, we need to configure WinRM with a powershell script to enable basic auth. For doing so we use the Azure extension 'CustomScriptExtension' that loads a script from our blobstorage and runs it.
The script's output has errors and Powershell doesn’t respond on port 5985.
We use the SQL-Server-2008R2-SP2-10.50.4319.0-Standard-ENU-Win2008R2 template.
In the deployment we set a listener that uses as protocol ‘Http’.
We open the 5985 port and at the end of the VM provisioning we are able to open a socket on it.
Code:
winrm quickconfig -q
winrm set winrm/config/winrs '#{MaxMemoryPerShellMB="300"}'
winrm set winrm/config '#{MaxTimeoutms="1800000"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '#{Basic="true"}'
For each script's command we have the following error:
Message = Access is denied. \\n\\nError number: -2147024891 0x80070005\\nAccess is denied.
Once the provisioning of the VM is done, we can log in using Remote Desktop and if we launch the powershell script from there, it perfectly works.
After some research we have found this article that proposes a possible solution, but the problem with it is that it exposes a security issue, because the script needs an admin password as parameter.
We are looking for other advice or for a workaround. We are working with a full automated workflow so sadly “hand-made solutions” are not an option for us. Thanks in advance for any help.
I've done this to make the Chef client bootstrap work on an Azure Windows VM. In my case, in addition to what you've done, I had to open 5985 on the Windows Firewall and enable the 5985 endpoint on the cloud service. It was a PITA, but it got the job done.
Related
I try to use release pipeline and setup a task "run powershell on target machines"
And here are the error messages:
##[error]Unable to create pssession. Error: 'Connecting to remote server XXX failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.'
##[error]The remote session query failed for XXX with the following error message: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
##[error]PSSession could not be created for Machine:'XXX:5986'
My VM is on Azure, and I already open PORT 5986\5985 in 'internet' settings.
I found some article talking about "remote management", however, I am not sure how to set this up on my VM.
https://learn.microsoft.com/en-us/windows/win32/winrm/portal
https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.2
Maybe I need some setup are needed for the instance which pipelines are running on (agent pools)?
https://developercommunity.visualstudio.com/t/with-powershell-on-target-machines-task-cant-able/635225
Any suggestion is appreciated.
Update-1
The suggestion from #wade-zhou-msft seems not working. But thanks!
Updata-2
change the network setting, no more error.
But the situation still the same ...
In addition, my 'copy file to remote machine' task works well.
Update-3
I find articles talks about "how to remotely run powershell command from Linux"
https://adamtheautomator.com/psremoting-linux/
It shows that some setup is needed. Maybe I need to setup the instance running my CD jobs?
The task "run powershell on target machines" will start a Enter-PSSession session from your agent machine to target VM.
As per the error message, on your target VM, please run winrm quickconfig to configure the service, run winrm set winrm/config/client '#{TrustedHosts="*"}' to trust the host.
If you use the HTTPS, then you need to open port 5986 in the firewall and install a self-signed certificate.
If you create a classic virtual machine from the Azure portal,the virtual machine is already set up for WinRM over HTTPS, with the default port 5986 already opened in the firewall and a self-signed certificate installed on the machine.These virtual machines can be accessed with no further configuration required. Please refer to the task perquisite for the detials.
Or you can use self-hosted agent, with http port 5985 for the task.
I had the same problem and I solved the problem by using azure cli.
The build agent and the VM were added in the same vNet.
az vm run-command invoke -g MyResourceGroup -n MyVm --command-id RunShellScript --scripts 'echo $1 $2' --parameters hello world
https://learn.microsoft.com/en-us/cli/azure/vm/run-command?view=azure-cli-latest#az-vm-run-command-invoke
I'm currently trying to connect to my Virtual Machine with Windows Server 2012 Datacenter and connect to it via Certification Test Tool 1.2 for Azure. And always getting this error:
Connecting to remote server xyz-vm.westeurope.cloudapp.azure.com
failed with the following error message: WinRM cannot complete the
operation. Verify that the specified computer name is valid, that the
computer is accessible over the network, and that a firewall exception
for the WinRM service is enabled and allows access from this computer.
By default, the WinRM firewall exception for public profiles limits
access to remote computers within the same local subnet. For more
information, see the about_Remote_Troubleshooting Help topic.
I guess the tool is using PSRemot so I checked that:
"winrm" is running.
"PS Remoting" is enabled in the firewall.
Port 5985 and 5986 are in the network security group in Azure and at the local VM Firewall allowed.
I tested the connection via Test-WSMan and I got a connection:
screenshot. But the connection with the Certification Test Tool still failed.
Even after turning the Firewall of the VM completely of, it didn't work
Thank you for your Help
Can you please run in cmd on the Virtual Machine netsh winhttp show proxy
If this shows port 8080 could you then run netsh winhttp reset proxy
According to #Shengbao Shui - MSFT
For a existing VM, you also check this blog. You need create a self-certificate and enable https.
My goal is to write a Powershell script that will run New-AzureRmResourceGroup and New-AzureRmResourceGroupDeployment in order to provision a resource group according to an ARM .json template file. Said resource group includes a virtual machine, virtual network, network security group, public IP address, network interface attached to the virtual machine, and two storage accounts. After that, I want the same script to go on and copy a specific program installer to the virtual machine in that resource group and run that installer, automatically without further user interaction. However, I can't seem to begin a remote Powershell session with the virtual machine. I run the command:
$sess = New-PSSession -ComputerName **.***.**.*** -Port XXXX -Credential $cred
where the *s are the IP address of the Virtual Machine; XXXX is the Port that is open for RDP according to the Network Security Group associated with the virtual network that the Virtual Machine is on; and $cred contains the credentials of the admin user on the Virtual Machine.
The command always returns an error:
New-PSSession : [**.***.**.***] Connecting to remote server **.***.**.*** failed with the following error message :
The client cannot connect to the destination specified in the request. Verify that the service on the destination is
running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the
destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the
about_Remote_Troubleshooting Help topic.
Note that I did make sure to add the Virtual Machine's IP address to the list of Trusted-Hosts on my local machine. (Until I did that, I got a different error message.) Also, I am able to connect to the Virtual Machine if I click on its Connect button in the Azure portal and then click on the .rdp file that's downloaded. This remote session uses the same IP address, port, and credentials as the one I'm trying and failing to set up in Powershell. This is what I don't understand.
Why does that happen? Is there some additional work I need to do to prepare the VM for accepting remote Powershell sessions? Is there any way to configure it in the ARM template so that the VM will be ready to accept them from the get-go? (It would be difficult if I need to run some commands on the VM to set Powershell remoting up, since I can't Powershell remote in to run them because of this very problem. Maybe I could run them as a custom script extension?)
Final notes: This VM is "new" style, not "classic" style. I know there is lots of documentation out there for "classic" style Azure VMs, but that's not what I'm working with. Also, even after running winrm quickconfig on the VM as the error suggested, and enabling administrative rights remotely to local users, I get the same error when I run New-PSSession.
Open up 5985-5986 on your NSG
Drop the port part on your command:
$sess = New-PSSession -ComputerName ... -Credential $cred
WinRM endpoint is set up automatically for new VM's (if you don't somehow override it). But you need to open 5985 for nonsecure and 5986 for secure remoting
I have a script that builds a VM and installs multiple programs. The script runs on a separate server, and builds the VM by using Invoke-Command to execute commands remotely on the VM server. There are perhaps 20 steps to the process, with each step creating a session, invoking a command on the VM, then removing the session.
Towards the end of the script I'm always getting the error below, but not always on the same step. When I run the script again leaving off where it last failed, it works fine. Obviously Winrm is enabled so I'm at a loss as to what can be causing it.
What possible reasons could explain getting this error when WinRM is most definitely running?
"Processing data for a remote command failed with the following error message: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic."
It sounds like the 'Web Management Service' is not running on the remote machine.
This service is required for IIS management and some applications.
Regards
I have three windows 2008 R2 servers; DEV, UAT and Live. I am deploying web apps between these servers, including IIS setup and config and database backup and restore via a PowerShell script. I use a powershell remote session.
I would like to prevent any machine, other than my deployment machine, from creating a powershell remote session on the host, even if the user is authenticated. Is this possible?
I have looked extensively through the PSRemoting documentation and can't find anything helpful.
Thanks in advance
Read the below link to better understand what needs to be done but I think you need to set the trusted host on the remote servers.
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx
This is an excerp from the blog.
On the Windows server Core box
Run the following commands on the console of the Server Core box to lower security:
WinRM set winrm/config/service/auth #{Basic="true"}
WinRM set winrm/config/client #{TrustedHosts="<local>"}
WinRM set winrm/config/client #{TrustedHosts="RemoteHost"}
Where RemoteHost is the host you want to be able to connect to the server.
You can also use certificate-based authentication.
http://blogs.msdn.com/b/wmi/archive/2009/03/23/how-to-use-wsman-config-provider-for-certificate-authentication.aspx
If you only want your computer to be able to connect, install the certificate on your computer and don't give it to anyone else.