[英]Cannot run remote session on Azure Automation hybrid worker
I have a Powershell Azure Automation runbook that remotes into a machine to update some configuration. 我有一台Powershell Azure自动化运行手册,该手册可以远程访问计算机以更新某些配置。 The runbook seems to work properly when run from Azure, but fails with an authentication error when run from a Hybrid Worker. 从Azure运行时,该运行簿似乎正常工作,但是从Hybrid Worker运行时,运行簿失败并出现身份验证错误。
The whole reason for having the Hybrid Worker was so I could secure the PSRemoting ports to known hosts, so this is a bit of a bummer. 拥有Hybrid Worker的全部原因是为了使我可以将PSRemoting端口保护到已知主机,因此这实在太可惜了。
The main runbook is triggered via webhook, and that calls a child runbook using dot-notation, which calls... 主Runbook通过Webhook触发,并使用点符号调用子Runbook,该子Runbook调用...
$creds = Get-AutomationPSCredential -Name 'DeploymentCredentials'
$sessionOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
Invoke-Command -ConnectionUri "https://$($FQDN):5986" -Credential $creds -SessionOption $sessionOptions -ScriptBlock {
$h = hostname
Write-Output "Running on $h"
}
In this case, $FQDN
is supplied as a parameter of course. 在这种情况下,当然会提供$FQDN
作为参数。
The error being reported is: 报告的错误是:
Connecting to remote server my-server.australiaeast.cloudapp.azure.com failed with the following error message : Access is denied. 连接到远程服务器my-server.australiaeast.cloudapp.azure.com失败,并显示以下错误消息:拒绝访问。 For more information, see the about_Remote_Troubleshooting Help topic. 有关更多信息,请参见about_Remote_Troubleshooting帮助主题。
CategoryInfo : OpenError: (my-server.au...udapp.azure.com:String) [], PSRemotingTransportException CategoryInfo:OpenError:(my-server.au ... udapp.azure.com:String)[],PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken FullyQualifiedErrorId:AccessDenied,PSSessionStateBroken
I can manually execute the same code from ISE without issue from the hybrid worker so I know it's not a firewall issue, and I have the credentials writing to the output window so I know they are correct too. 我可以从ISE手动执行相同的代码,而没有混合工作程序发出的消息,因此我知道这不是防火墙问题,而且我将凭据写入输出窗口,因此我也知道它们也是正确的。
I presume this is something to do with the fact the PowerShell function executes under the system account? 我认为这与PowerShell函数在系统帐户下执行的事实有关吗?
Thx 谢谢
Answering my own question for posterity. 回答我关于后代的问题。
Altering the Hybrid Worker Group to run using credentials for a machine admin allowed the setup to work; 更改Hybrid Worker组以使用机器管理员的凭据运行可以使设置生效; where using the "Default" credentials (System account I believe) did not. 没有使用“默认”凭据(我相信系统帐户)的位置。
I think in Windows the System account is not allowed to connect to other machines/services so this may be why, but I'm guessing there. 我认为在Windows中,系统帐户不允许连接到其他计算机/服务,所以这可能就是原因,但是我猜在那里。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.