Azure: PowerShell remoting

(What I actually wanted to do, namely probe my Azure servers for security holes, will have to wait until another day, reminder to self. This (failing to get to that point) is because I understood starting, stopping, etc Azure VMs via PowerShell, I assumed that PowerShell remoting would be trivial. Well it is, arguably, but you still need to know the commands, and get your self-signed certificates in place, etc.

There were a few points of frustration, and an irritation that I have burned 2 hours getting to this point, but it’s worth recording.

This was the main pain, and I wasted time thinking that about_remote_troubleshooting help would actually contain some relevant information:

UnknownCertAuth02

Thank you to this person, as all the answers are there, including the obvious one of plugging the https qualified url into say Chrome, saving the certificate, and importing it into your local trusted root ca store.

https://blogs.endjin.com/2014/03/a-step-by-step-guide-to-connecting-to-an-azure-virtual-machine-with-powershell-remoting/

This person was also helpful – thanks:

http://michaelwasham.com/windows-azure-powershell-reference-guide/introduction-remote-powershell-with-windows-azure/

https://gallery.technet.microsoft.com/scriptcenter/Configures-Secure-Remote-b137f2fe

Ref the latter, of course when you download the reference PowerShell script, no amount of telling PS that the file is OK seems to work (including Unblocking on the OS), so I copied the content and then it was fine. As I can’t download scripts, but can text, this is the content – all credit to the author, who is not me, to be clear:

<#
.SYNOPSIS

Downloads and installs the certificate created or initially uploaded during creation of a Windows based Windows Azure Virtual Machine.

.DESCRIPTION

Downloads and installs the certificate created or initially uploaded during creation of a Windows based Windows Azure Virtual Machine.
Running this script installs the downloaded certificate into your local machine certificate store (why it requires PowerShell to run elevated).
This allows you to connect to remote machines without disabling SSL checks and increasing your security.

.PARAMETER SubscriptionName

The name of the subscription stored in WA PowerShell to use. Use quotes around subscription names with spaces.
Download and configure the Windows Azure PowerShell cmdlets first and use Get-AzureSubscription | Select SubscriptionName to identify the name.

.PARAMETER ServiceName

The name of the cloud service the virtual machine is deployed in.

.PARAMETER Name

The name of the virtual machine to install the certificate for.

.EXAMPLE

.\InstallWinRMCertAzureVM.ps1 -SubscriptionName "my subscription" -ServiceName "mycloudservice" -Name "myvm1"

#>

param([string] $SubscriptionName, [string] $ServiceName, [string] $Name)

Function IsAdmin
{
$IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()`
).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

return $IsAdmin
}

Function InstallWinRMCertificateForVM()
{
param([string] $CloudServiceName, [string] $Name)
if((IsAdmin) -eq $false)
{
Write-Error "Must run PowerShell elevated to install WinRM certificates."
return
}

Write-Host "Installing WinRM Certificate for remote access: $CloudServiceName $Name"
$WinRMCert = (Get-AzureVM -ServiceName $CloudServiceName -Name $Name | select -ExpandProperty vm).DefaultWinRMCertificateThumbprint
$AzureX509cert = Get-AzureCertificate -ServiceName $CloudServiceName -Thumbprint $WinRMCert -ThumbprintAlgorithm sha1

$certTempFile = [IO.Path]::GetTempFileName()
$AzureX509cert.Data | Out-File $certTempFile

# Target The Cert That Needs To Be Imported
$CertToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certTempFile

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "LocalMachine"
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Add($CertToImport)
$store.Close()

Remove-Item $certTempFile
}
Select-AzureSubscription $SubscriptionName
InstallWinRMCertificateForVM -CloudServiceName $ServiceName -Name $Name

Finally, a bunch of commands I used in the session:

Get-Module Azure
Add-AzureAccount
Get-AzureSubscription
Get-AzureVM
$vm="MyVm"
Start-AzureVM -ServiceName $vm -Name $vm
Get-AzureVM -ServiceName $vm -Name $vm
$uri = Get-AzureWinRMUri -ServiceName $vm -Name $vm
$credential = New-Object System.Management.Automation.PSCredential($user, $pwd)
Enter-PSSession -ConnectionUri $uri -Credential Get-Credential
$ps = New-PSSession -ConnectionUri $uri -Credential $credential
Enter-PSSession -Session $ps

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s