I recently started an Azure subscription in order to move all the servers I use to test PowerShell code to the cloud. Right now I have only a couple Virtual Machines, one running Windows Server 2016, that’s my Domain Controller. I also have a Windows Server 2012 R2 Virtual Machine with Exchange 2013 installed. Obviously, both of these VMs are in the same domain.
For the purposes of testing, I wanted to be able to remote to the cloud VMs using PowerShell. The problem is since my local machine is not in the same domain as the VMs I couldn’t get authenticated. Now, you can stand up an Azure Active Directory and put the local machine in that domain and you’re good to go. I’m trying to keep costs as low as possible so I wasn’t willing to pay that extra expense for the Azure AD. I think you can also use a certificate in an Azure Keystore but again, extra expense plus I would have to figure out how to make it work… I’m an Azure n00b.
After some quality time consulting Professor Google, I came to the conclusion to create a certificate in each VM, then importing that certificate on my local laptop was the easiest way to make this work. Obviously, this is not a good enterprise solution although I guess you could probably do it a little more efficiently on a larger scale using Certificate Services. Anywho… this is how I did it.
If you have a better method, please let me know in the comments.
# Enable Remoting to an Azure VM
# Make sure to set the Public IP address to static or make sure you track the change of the public IP
# Create Network Security Group Rule to allow winrm
# Create a Selfsigned cert on the Azure VM
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName PC1.mydomain.local
Export-Certificate -Cert $Cert -FilePath '<filepath>\exch.cer'
# Create a firewall rule inside the Azure VM
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
New-NetFirewallRule -DisplayName 'WinRM HTTPS-In' -Name 'WinRM HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP
# Install the Cert on the client
# Run this on the remote client
$cred = Get-Credential
Enter-PSSession -ConnectionUri https://xx.xx.xx.xx:5986 -Credential $cred -SessionOption `
(New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -Authentication Negotiate