locked
Start a script on Azure VM from a remote machine RRS feed

  • Question

  • I hope there is a simple answer to my question, as I have been at it for the past 3 days.
    I have setup multiple Azure VMs. I have a PowerShell script that runs on the VM. All I need to do now is run/start that PowerShell script from the remote machine.
    I have opened the ports and tried all kind of things with winrm and I am stumped, still getting the Access denied error.
    What else can I try to get this to work; this seems like pretty common thing people would run into.
    
    Thanks for your help.
    Karina
    
    Thursday, July 19, 2012 4:09 PM

Answers

  • Hi Karina,

    You can use the following steps to do a remote PowerShell session to an Azure VM over SSL. These steps use a self-signed SSL certificate, but for production scenarios we would recommend getting a cert from a trusted CA.

    1. Add a 5986 HTTPS endpoint (public port needs to be unique in the case of multi-instance cloud services). You could configure a different port on the VM to be the HTTPS listener, but 5986 is the default in Win7 and later.

      get-azurevm mycloudservice myvm | Add-AzureEndpoint -Name PS-HTTPS -Protocol TCP -LocalPort 5986 -PublicPort 5986 | Update-AzureVM

    2. Create a self-signed cert (makecert.exe from Windows SDK, or selfssl.exe from IIS6 reskit, etc.) and import to the local machine store:

      makecert -r -pe -n "CN=mycloudservice.cloudapp.net " -b 01/01/2012 -e 01/01/2022 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

      with selfssl:

      selfssl.exe /N:CN=mycloudservice.cloudapp.net /V:3650 /P:5986 /T /Q

    3. For a self-signed cert like above, you must export the cert and import it into the trusted root store on the client where you will be connecting from. This PowerShell command will export the cert to .PFX.

      [System.IO.File]::WriteAllBytes("mycloudservice.cloudapp.net.pfx", (get-item cert:\localmachine\My\<thumbprint>).Export("Pfx","password"))

      Then copy the PFX to the client and double-click to run the wizard and import to the Trusted Root store.

    4. Run EnablePS-Remoting on both VM and the client you'll be connecting from:

      Enable-PSRemoting

      You can add -force to automatically accept all the prompts.

    5. Create the HTTPS listener using that cert's thumbprint (since Enable-PSRemoting only creates an HTTP listener by default, not HTTPS):

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="mycloudservice.cloudapp.net";CertificateThumbprint="<thumbprint>"}

    6. Add the firewall exception manually since Enable-PSRemoting doesn't create firewall exceptions for Public firewall profile:

      netsh advfirewall firewall add rule name="Port 5986" dir=in action=allow protocol=TCP localport=5986

    7. Update TrustedHosts to a wildcard "*" or a specific client machine name that you will be connecting from:

      Set-Item WSMan:\localhost\Client\TrustedHosts –Value "*" -Force -Concatenate

    8. Now you can start an interactive remote session to the VM using:

      Enter-PSSession -ComputerName mycloudservice.cloudapp.net -Credential (Get-Credential) -UseSSL

    Thanks,

    Craig

    Monday, July 23, 2012 9:13 PM

All replies

  • David Aiken did a post a while back on using remote PowerShell into Windows Azure PaaS instances. You might find some helpful pointer there.
    Thursday, July 19, 2012 7:56 PM
  • Thanks Neil,

    According to David's description you need to deploy something to the VM to begin with. Is there something less complex. My scenario is a lot simpler. 

    Friday, July 20, 2012 6:29 PM
  • Hi Karina,

    You can use the following steps to do a remote PowerShell session to an Azure VM over SSL. These steps use a self-signed SSL certificate, but for production scenarios we would recommend getting a cert from a trusted CA.

    1. Add a 5986 HTTPS endpoint (public port needs to be unique in the case of multi-instance cloud services). You could configure a different port on the VM to be the HTTPS listener, but 5986 is the default in Win7 and later.

      get-azurevm mycloudservice myvm | Add-AzureEndpoint -Name PS-HTTPS -Protocol TCP -LocalPort 5986 -PublicPort 5986 | Update-AzureVM

    2. Create a self-signed cert (makecert.exe from Windows SDK, or selfssl.exe from IIS6 reskit, etc.) and import to the local machine store:

      makecert -r -pe -n "CN=mycloudservice.cloudapp.net " -b 01/01/2012 -e 01/01/2022 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

      with selfssl:

      selfssl.exe /N:CN=mycloudservice.cloudapp.net /V:3650 /P:5986 /T /Q

    3. For a self-signed cert like above, you must export the cert and import it into the trusted root store on the client where you will be connecting from. This PowerShell command will export the cert to .PFX.

      [System.IO.File]::WriteAllBytes("mycloudservice.cloudapp.net.pfx", (get-item cert:\localmachine\My\<thumbprint>).Export("Pfx","password"))

      Then copy the PFX to the client and double-click to run the wizard and import to the Trusted Root store.

    4. Run EnablePS-Remoting on both VM and the client you'll be connecting from:

      Enable-PSRemoting

      You can add -force to automatically accept all the prompts.

    5. Create the HTTPS listener using that cert's thumbprint (since Enable-PSRemoting only creates an HTTP listener by default, not HTTPS):

      winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="mycloudservice.cloudapp.net";CertificateThumbprint="<thumbprint>"}

    6. Add the firewall exception manually since Enable-PSRemoting doesn't create firewall exceptions for Public firewall profile:

      netsh advfirewall firewall add rule name="Port 5986" dir=in action=allow protocol=TCP localport=5986

    7. Update TrustedHosts to a wildcard "*" or a specific client machine name that you will be connecting from:

      Set-Item WSMan:\localhost\Client\TrustedHosts –Value "*" -Force -Concatenate

    8. Now you can start an interactive remote session to the VM using:

      Enter-PSSession -ComputerName mycloudservice.cloudapp.net -Credential (Get-Credential) -UseSSL

    Thanks,

    Craig

    Monday, July 23, 2012 9:13 PM
  • @Craig,

     I have been struggling too with this error for last 2 days until I came across this thread. It would be really helpful if you could post on TechNet Wiki or Azure User Guide 


    Pavan Keerthi

    Tuesday, July 24, 2012 2:38 PM