Enable PowerShell remoting on Azure RM virtual machines

PowerShell remoting is useful to manage virtual machines using PowerShell. When you create a virtual machine in the classic azure model, a winrm endpoint is automatically configured and can be used to manage virtual machines. You’ll just need to import ssl on your local machine and connect to the remoting session. However, same is not created if you create a virtual machine in the resource manager model. So if you try to connect using PowerShell remoting for azure rm vm, you’ll see this error:

enter-pssession : Connecting to remote server mailserver02.metavrs.in failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is
different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration
setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following
command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ enter-pssession -ComputerName mailserver02.metavrs.in
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : InvalidArgument: (mailserver02.metavrs.in:String) [Enter-PSSession], PSRemotingTransportException
 + FullyQualifiedErrorId : CreateRemoteRunspaceFailed

In this post, we’ll see how to configure azure rm virtual machine for remoting purposes. For this, login into azure rm portal using your credentials. Then navigate to Virtual Machines ->  -> Settings -> Network Interfaces -> :

Open network security group for azure rm vm
Open network security group for azure rm vm

As shown in snap, click on inbound security rules icon and then click add to add a new rule:

Inbound security rules for virtual machine
Inbound security rules for virtual machine

Then, define a new rule by defining a name, priority, and source as any. Select service name as winrm from list of services and then select allow:

Add new inbound security rule for winrm over https
Add new inbound security rule for winrm over https

After this, login into the virtual machine. Open windows firewall snap-in and then add incoming rule to allow traffic on port 5986. Alternatively, you can use below command:

New-NetFirewallRule -Name "winrm_https" -DisplayName "winrm_https" -Enabled True -Profile Any -Action Allow -Direction Inbound -LocalPort 5986 -Protocol TCP

The rule will look something like this:

Add inbound rule for allowing traffic on port 5986
Add inbound rule for allowing traffic on port 5986

After this, you’ll need to create a certificate for secure connection inside virtual machine. You may choose to use a publically trusted certificate, but for our purposes we are using a self signed certificate as I just wanted to get up and running as quickly as possible. You need to provide a DNS name, later in the post we will sconnect via IP address and skip the DNS name check so it doesn’t actually mattter what you set this to. However best practice would be to ensure you have a DNS name resolving to your Azure VM’s public IP address and use that DNS name.

For creating certificate, we can use a PowerShell command as below:

New-SelfSignedCertificate -DnsName mailserver01.metavrs.in -CertStoreLocation Cert:\LocalMachine\My

This will create and add a self signed certificate to personal store for local machine:

create-new-self-signed-cert-inside-vm
Create new self signed certificate inside virtual machine

Notice the thumbprint id created by using above command. To enable winrm on port 5986, we need to run below command (on a command prompt) inside virtual machine:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="mailserver01.metavrs.in"; CertificateThumbprint="B843517858DC200F338AA096EBE69E2F140E3F47"}

In the above command, replace hostname by your virtual machine DNS name and the thumbprint generated. This is what it should look like when you run it:

configure winrm for remoting
Configure winrm for remoting

Now, we are all done. To connect from a client machine, we can use below set of commands on PowerShell prompt:

$so = New-PsSessionOption –SkipCACheck -SkipCNCheck
$creds = Get-Credential
Enter-PSSession -ComputerName  -Credential $creds -UseSSL -SessionOption $so

This is what it should look like:

Establish remote pssession with azure vm
Establish remote pssession with azure vm

Happy remoting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s