Endjin - Home

A Step by Step Guide to Connecting to an Azure Virtual Machine with PowerShell Remoting

by Howard van Rooijen

Any person tasked with looking after a number of Windows Servers knows that Remote Desktop will only scale so far and that at some point you will need to turn to scripting to manage a server estate of any reasonable size. Two years ago I blogged “An Omega Geek’s Guide to Learning PowerShell“, so it should be pretty obvious what my weapon of choice is.

Theoretically, connecting to an Azure Virtual Machine via PowerShell Remoting should be relatively straight forward, as Windows Server 2012 R2 enables PowerShell Remoting by default and Azure exposes a remoting endpoint by default.  I wanted to script some changes to a TeamCity based Continuous Integration Environment (see my whitepaper for JetBrains “From Chaos, through Fear, to Confidence” for more information), and found that in practice it was actually a tad more involved.

Firstly, you need to know where your public PowerShell Remoting endpoint is. To find this, log in to the Azure Management Portal, select your Virtual Machine and click the “Endpoints” tab:

01-what-is-your-remoting-endpoint

Armed with this information the following command should work (you will be prompted to enter your password via a standard Windows Authentication dialog):

Enter-PSSession -ComputerName <machinename>.cloudapp.net -Port <remoting-endpoint> -Credential <username> -UseSSL

But instead received the following error message:

The server certificate on the destination computer (<machinename>.cloudapp.net:<remoting-endpoint>) has the following errors: The SSL certificate is signed by an unknown certificate authority.

00-connection-error

This is actually quite a self-explanatory error message for a change. When the WSMAN:// endpoint is created, a self-signed SSL certificate is generated (I’m not sure why the Azure team doesn’t just have a wildcard *.cloudapp.net SSL certificate). You can test this by navigating to the HTTPS PowerShell Remoting Endpoint in Chrome, which gives you the following warning message:

02-navigate-to-remoting-endpoint-in-chrome

To view the certificate details, right click on the padlock icon in the address bar and click the “Certificate information” link:

03-view-certificate

and you’ll be shown a dialog containing the certificate information:

04-view-certificate-details

Click the “details” tab and then click the “Copy to File…” button:

05-copy-to-file

This invokes the Certificate Export Wizard. Click “Next”:

06-welcome-to-certificate-export-wizard

The default DER format should be sufficient, so click “Next”:

07-export-file-format

Next, chose a location and file name to save the certificate to, and click “Next”:

07a-export-file-format

Click “Finish” on the confirmation screen:

08-completing-the-certificate-export-wizard

Navigate to where you saved the certificate file, right click and select the “Install Certificate” option from the context menu:

09-install-certificate

This should invoke the Certificate Import Wizard. Choose “Current User” store location option:

06-0-welcome-to-certificate-export-wizard

Select the “Place all certificates in the following store” option:

10-certificate-import-wizard

Choose the “Trusted Root Certification Authorities” folder from the dialog:

11-select-trusted-root-certification-authorities

Click “Next”:

12-confirm-certificate-store

Next you’ll be shown a security confirmation dialog, click the “Yes” button:

13-security-warning

If the import was successful, you should see the following dialog:

14-import-sucessful

Now with the certificate installed locally, you can try to create a new PowerShell Remoting session:

15-enter-pssession

and you should successfully connect:

16-connected

Work Smarter, Not Harder.

@HowardvRooijen | @endjin

Sign up to Azure Weekly to receive Azure related news and articles direct to your inbox or follow on Twitter: @azureweekly

About the author

Howard spent 10 years as a technology consultant helping some of the UK's best known organisations work smarter, before founding endjin in 2010. He's a Microsoft Accelerator Mentor, and a Microsoft Azure MVP. You can follow him on Twitter via @HowardvRooijen