运行在虚拟机上执行PowerShell命令的Azure Runbook时出错

Question

I am trying to execute this code in runbook, using "Invoke-Command" to connect to VM.

$connectionName = "AzureRunAsConnection"
try
{
    # Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

    "Logging in to Azure"
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

    # Use the subscription that this Automation account is in
    $null = Select-AzureRmSubscription -SubscriptionId $servicePrincipalConnection.SubscriptionID
    Get-AzureRmVM | Select Name
    $dcred = Get-AutomationPSCredential -Name 'myvm1creds'
    Write-Output $DomainCred
    $opts = New-PSSessionOption -SkipCACheck
    Invoke-Command -Computername 'myVM1' -Credential $dcred -ScriptBlock {Get-Process} -SessionOption $opts
}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    } 
}

Getting the below error:

[myVM1] Connecting to remote server myVM1 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic. + CategoryInfo : OpenError: (myVM1:String) [], PSRemotingTransportException + FullyQualifiedErrorId : ServerNotTrusted,PSSessionStateBroken

Any idea what have to be done to run powershell script via runbook on Azure Virtual Machines

Answer 1

In Azure runbook, we can't use transport HTTP to connect Azure VMs, because Azure runbook can't add trust host, so we need use HTTPS to connect Azure VMs.

Here are my steps:
1.Create a self-signed certificate.

Use makecert.exe to create it.

2.Config Winrm listen on HTTPS , run this script in CMD:

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Port="5986" ;Hostname="jasonvm" ;CertificateThumbprint="98941E137CDF9553CCB0C28D5814EB9EDB1AC87D"}

3.Add port 5986 in Azure NSG inbound rules and windows firewall inbound rules. 4.we can use this runbook to connect Azure VM:

$connectionName = "AzureRunAsConnection"
try
{
    # Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 


    $null = Select-AzureRmSubscription -SubscriptionId $servicePrincipalConnection.SubscriptionID
    Get-AzureRmVM | Select Name
    $dcred = Get-AutomationPSCredential -Name 'jasonvm'
    Write-Output $DomainCred
    $opts = New-PSSession -ConnectionUri 'https://52.185.148.177:5986' -Credential $dcred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)
    Invoke-Command -Session $opts -ScriptBlock {Get-Process}

}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}

Here is my result: