I was working on an issue of trying to connect to powershell remote on an Azure VM.

I get the following error “Connecting the remote Server XXXX failed with the following….”

image

There is some things you need to have in place first before being able to connect so I hope this little guide provides some insight to troubleshoot your connections.

1. The EndPoint

If you want to be able to connect to a VM via powershell the first thing you need to check if the endpoint is configured in Azure to allow for the Port forwarding. To do this via powershell is very simple.

if we use the Get-AzureVM Cmdlet and Pipe its output to the Get-AzureEndpoint CMDLET we can see the output. See the following screen show

image

As you will I have a PowerShell Endpoint registered on port 5986. So its on its default port for this service which means technically I should be able to connect.

However when I connect I still get the follow

image

2. The Certificate

When you deploy a VM into Azure a self signed certificate gets generated and stored in the Local Computer Store of the VM. This certificates name will be dependent on if you have deployed a new cloud service or part of an existing cloud service. For example if you choose a new cloud service and it is called demo.cloudapp.net in the local computer store you will see a new self-signed certificate call demo.cloudapp.net. This certificate needs to be exported and copied to the machine you are trying to connect from and imported into its Trust Root Certificate Authority Store . if it is an existing cloud service it will create the certificate in the name of the existing cloud service and the endpoint will give it a different port for Powershell (the remote endpoint). The same process applies in terms of copying the certificate if you haven't already for another VM.

The below image shows you the screenshot of the local computer certificate store on an azure VM with the self signed cert

image

Export this certificate

and copy it down on the your local machine and place it in the Local Computer Certificate Store –> Trusted Root Certification Authorities as show below in the image.

image

Between confirming the endpoint and the certificate in place you should at this stage be able to connect. However if you cant all is not lost! Check the VM itself

3. The VM

The VM should be treated like any other operating system, as soon as you treat it differently you will make a mistake and spend hours troubleshooting.

Start off simple and check if there is a WINRM Listener Configured

This should be performed from an elevated command prompt and the syntax require is

“Winrm e winrm/config/listener”

In my case I got the following output

image

Great the listener is created but hang on the ListeningOn is null.

This is supposed to list the IP addresses it is listening on.

Some other things worth nothing is the CertificateThumbprint this should match the self signed certificate it created.

if it doesn't you will need to delete and recreate the listener with the correct certificate.

In my case however the ListeningOn is null which basically means if I try to connect to the endpoint I wont be able to connect even though it is created!

The second listener is where Source=”GPO” is interesting and leads us down a path you would not think to troubleshoot in most cases.

Azure deploys VM’s with remote Powershell and WINRM configured, therefore if you use a GPO to enable it as you might on premise and I did in the cloud :) it forces it to not listening hence the null value!

A quick disable of the GPO controlling it resulted in a fix! See below the image showing the ip’s it now listens on

image

And now when I try to connect I get a connection!

image

Fantastic!