无法在Azure自动化混合工作器上运行远程会话

Question

I have a Powershell Azure Automation runbook that remotes into a machine to update some configuration. The runbook seems to work properly when run from Azure, but fails with an authentication error when run from a Hybrid Worker.

The whole reason for having the Hybrid Worker was so I could secure the PSRemoting ports to known hosts, so this is a bit of a bummer.

The main runbook is triggered via webhook, and that calls a child runbook using dot-notation, which calls...

$creds = Get-AutomationPSCredential -Name 'DeploymentCredentials'
$sessionOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
Invoke-Command -ConnectionUri "https://$($FQDN):5986" -Credential $creds -SessionOption $sessionOptions -ScriptBlock {
    $h = hostname
    Write-Output "Running on $h"
}

In this case, $FQDN is supplied as a parameter of course.

The error being reported is:

Connecting to remote server my-server.australiaeast.cloudapp.azure.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

• CategoryInfo : OpenError: (my-server.au...udapp.azure.com:String) [], PSRemotingTransportException

• FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

I can manually execute the same code from ISE without issue from the hybrid worker so I know it's not a firewall issue, and I have the credentials writing to the output window so I know they are correct too.

I presume this is something to do with the fact the PowerShell function executes under the system account?

Thx

Answer 1

Answering my own question for posterity.

Altering the Hybrid Worker Group to run using credentials for a machine admin allowed the setup to work; where using the "Default" credentials (System account I believe) did not.

I think in Windows the System account is not allowed to connect to other machines/services so this may be why, but I'm guessing there.