I have an iis hosted website on Azure windows 19 server.
To update the certificate for ssl binding I have installed keyvault extention on the vm.
Hoping if I push new version of certificate in keyvault then vms will automatically pull the certificate and apply it on IIS ssl binding.
But when I update the certificate in keyvault , extention is able to pull the certificate and put in windows My localstore. But it is not updating the corresponding ssl binding in iis with new certificate.
Moreover if I browse https://localhost then I see the client is getting latest certificate(new version).
Not able to get where it is creating the problem.
You could try to use the PowerShell script to update the IIS SSL binding:
$PublicSettings = '{
"fileUris":["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/secure-iis.ps1"],
"commandToExecute":"powershell -ExecutionPolicy Unrestricted -File secure-iis.ps1"
}'
Set-AzVMExtension -ResourceGroupName $resourceGroup `
-ExtensionName "IIS" `
-VMName "myVM" `
-Location $location `
-Publisher "Microsoft.Compute" `
-ExtensionType "CustomScriptExtension" `
-TypeHandlerVersion 1.8 `
-SettingString $publicSettings
For more detail please refer to below article:
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-secure-web-server#configure-iis-to-use-the-certificate
Whenever I try to login in my Server I get following error
The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.
I cant connect to my server remotely using powershell and Remote registry(regedit) inspite of enabling TCP port 5986. Can any one suggest a solution.
There is an easy method to disable NLA via the Azure portal. You can navigate the Operation---Run command---select the DisableNLA script, then click Run button after finishing the run command script, restart your Azure VM for the change to take effect.
Alternatively, you also could invoke run command with PowerShell or Azure CLI.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command
For example
Run these PowerShell scripts to disable or enable the NLA of the remote computer on the local machine with Invoke-AzVMRunCommand -ResourceGroupName '<myResourceGroup>' -Name '<myVMName>' -CommandId 'RunPowerShellScript' -ScriptPath '<pathToScript>' -Parameter #{"arg1" = "var1";"arg2" = "var2"}
$ComputerName = "remote computer"
# Getting the NLA information
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
# Setting the NLA information to Disabled
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
# Setting the NLA information to Enabled
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)
# -Parameter #{"arg1" = "var1";"arg2" = "var2"}
Result
I would like to run some tests on some VM machines. The machines belong to different users with different MSDN accounts, which means private passwords.
What I did was so far is to create an Azure VM for each MSDN account and set a similar user name/password for the machine.
What I would like to do is to:
Connect to any of these VMs. My problem: I don't know the machine name. I tried to connect using the rdp file provided by Azure, and it's working, but the problem is that it's using an IP instead of a name.
I tried finding the machine name, but all documentation about this seems to be outdated. . I tried to connect to amam10x64.westeurope.cloudapp.azure.com but without success.
Copy a file to/from the VM. My hope is that I can use the following snippet:
$commandStr = [string]::Format("Copy-VMFile ""{0}"" -SourcePath ""{1}"" -
DestinationPath ""{2}"" -CreateFullPath -FileSource Host -Force", $VM,
$SessionPath, $RemoteFullPath)
$commandBlock = [scriptblock]::Create($commandStr)
Invoke-Command -Session $sess -ScriptBlock $commandBlock
Run a command on the VM. Hopefully, I can use same command from Pt. 2.
I tried to connect to amam10x64.westeurope.cloudapp.azure.com but
without success.
If you want to connect this VM with DNS, we should set FQDN for this VM, please refer to this link.
Copy a file to/from the VM. My hope is that I can use the following
snippet:
Maybe we can use winrm to do this.
About how to use winrm connect Azure VM, please refer to this answer.
Run a command on the VM. Hopefully, I can use same command from Pt. 2.
We can use this script to connect Azure VM via Winrm:
$username = 'jason'
$pass = ConvertTo-SecureString -string 'password' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username, $pass
$s = New-PSSession -ConnectionUri 'http://23.99.82.2:5985' -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)
Invoke-Command -Session $s -ScriptBlock {Get-Process PowerShell}
I just created a VM in Azure using the Resource Manager model. And I can't RDP to it. The machine is running. The error I receive is:
Your credentials did not work
I have tried the following user names:
myCompanyDomain\user
user
.\user
\user
NameOfVM\user
I have checked, double checked, and tripple checked the password. I have read and followed all of the steps in this article: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-troubleshoot-remote-desktop-connections/#wincred
Still can't connect. What am I missing?
Well, the root of this problem is still a mystery. If we figure it out, I'll post the solution. For whatever weird reason, when I create a VM, nobody (none of my co-workers nor I) can access it. When anyone else creates a VM using the SAME STEPS, we can all access it. But, we found a work around. This article helped, but didn't get us all the way there.
Here's the work around script:
Login-AzureRmAccount
Get-AzureRmSubscription -SubscriptionName <Your Subscription Name>
Copy the Tenant Id returned above
Login-AzureRmAccount -TenantId <TenantId>
$vm = Get-AzureRmVM -ResourceGroupName <Your Resource Group Name> -Name <Your VM Name>
$cred = Get-Credential (this is the VM user credentials)
Set-AzureRmVMAccessExtension -ResourceGroupName <Your Resource Group Name> -VMName <Your VM Name> -Name VMAccessAgent -TypeHandlerVersion "2.0" -UserName $cred.UserName -Password $cred.GetNetworkCredential().Password -Location <Location of VM>
Update-AzureRmVM -ResourceGroupName <Your Resource Group Name> -VM $vm
I want to create Azure VM with public static IP.
Here is the issues I encountered:
I have a "VS professional MSDN subscription" which gave me 45e/month Azure credit.
I log into Azure portal (https://manage.windowsazure.com) with MSDN subscription enabled account to create new virtual machine, in "REGION/AFFINITY GROUP" option, only "central us", "south central us", "east asia", "south east asia", "japan west" is available, while I would like to create VM in "north europe"
If I log into Azure preview portal (https://portal.azure.com), I can create VM in "north europe" but New-AzureReservedIP powershell command is not working with `-Location "North Europe", only locations avaialabe from old portal region list allows (such as "south central us")
In "classic" mode New-AzureReservedIP create a new IP address for your cloud service. After the reserved IP has been created, you can only associate it with the cloud service.
When it can be useful?
If all of the virtual machines in a cloud service are in the StoppedDeallocated state (or deleted), the public IP
address of the cloud service is lost. You can mitigate this by using a reserved IP address hosting your virtual machines.
Now if you use https://portal.azure.com and "Resource Manager" for creating your VMs, you can configure the public IP for the VM at creation time or change after.
At creation time
It seems that static IP address currently is not supported. I have tried to create an static PublicIP address with New-AzureRmPublicIpAddress but its support only dynamic type. When I set "static" for the switch -AllocationMethod Static its return me this error
Currently this
configuration is not supported. Network interfaces can use only dynamic public IPs.
In the ARM CLI, you can use the following command to create a static public IP in the resource group "momentarybehaviorrg" (which must already exist) with name "myipname" in location "North Europe":
azure network public-ip create -g momentarybehaviorrg -n myipname -l "North Europe" -a Static
For more info, take a look at the documentation with the following command:
azure network public-ip create -h
Microsoft prevented my account to create VM in European regions.
Their tech support enabled it after internal team discussion.
Now I can create VMs as I want.
Thus, it is an issue in the back-end.
You can script all the vm creation process via powershell, this include the creation of resource group, the subnet, the vnet, the public ip, network security group, the storage and much more.
You can attach all vm resources to one resource group and by doing this you can easly delete the vm and realted resources by executing one command line.
Install and import AzureRM
In order to use and execute the below commands we need to install and import the AzureRM powershell module if we don't already have it, if you already have it you can skip this section.
PS: You need elevated privileges to install modules from PowerShell Gallery
`Install-Module -Name AzureRM -AllowClobber`
By default, the PowerShell gallery is not configured as a trusted repository for PowerShellGet. The first time you use PSGallery, the following message is displayed:
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change
its InstallationPolicy value by running the Set-PSRepository cmdlet.
Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):
So, don't worry about this message.
Once installed, you can import AzureRM by running the following command:
Import-Module AzureRM
Finnaly, to finish with this section we need to connect to Azure account, simply execute this command and you we be prompted:
# Connect to Azure with an interactive dialog for sign-in
Connect-AzureRmAccount
Create a resource group
A resource group is a logical container in which Azure resources are deployed and managed.
From your SDK, run the following code block to create a resource group:
# Create variables to store the location and resource group names.
$location = "francecentral"
$ResourceGroupName = "resource-group-1"
New-AzureRmResourceGroup -Name $ResourceGroupName -Location $location
Create storage resources
Create a storage account to store the output of boot diagnostics.
# Create variables to store the storage account name and the storage account SKU information
$StorageAccountName = "msstorage01"
$SkuName = "Standard_LRS"
# Create a new storage account
$StorageAccount = New-AzureRMStorageAccount `
-Location $location `
-ResourceGroupName $ResourceGroupName `
-Type $SkuName `
-Name $StorageAccountName
Set-AzureRmCurrentStorageAccount `
-StorageAccountName $storageAccountName `
-ResourceGroupName $resourceGroupName
Create networking resources
Create a VNet (virtual network), subnet, and a public IP address. Creating these Azure resources help us providing the network connectivity to our VM.
# Create a the subnet configuration
$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
-Name subNet-1 `
-AddressPrefix 192.168.1.0/24
Create the virtual network
$vnet = New-AzureRmVirtualNetwork `
-ResourceGroupName $ResourceGroupName `
-Location $location `
-Name vNet-1 `
-AddressPrefix 192.168.0.0/16 `
-Subnet $subnetConfig
Create a public IP address and specify a DNS name
$publicip = New-AzureRmPublicIpAddress `
-ResourceGroupName $ResourceGroupName `
-Location $location `
-AllocationMethod Static `
-IdleTimeoutInMinutes 4 `
-Name "mypublicdns$(Get-Random)"
Create a NSG (network security group ) and a NSG rule
The NSG secures our VM by using inbound and outbound rules.
Now, we need to create an inbound rule for port 3389 to allow incoming RDP (Remote Desktop) connections and an inbound rule for port 80 to let our VM receive the incoming web traffic.
Create an inbound NSG rule for the 3389 port
# Create an inbound NSG rule for the 3389 port
# This rule will allow us to connect to the VM via an RDP connection
$nsgrdprule = New-AzureRmNetworkSecurityRuleConfig `
-Name nsg-rdp-rule `
-Protocol Tcp `
-Direction Inbound `
-Priority 1000 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389 `
-Access Allow
Create an inbound network security group rule for port 80
# This rule will allow the VM to receive incoming web connections via the port 80
$nsgwebrule = New-AzureRmNetworkSecurityRuleConfig `
-Name nsg-inbound-www-rule `
-Protocol Tcp `
-Direction Inbound `
-Priority 1001 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 80 `
-Access Allow
Create the NSG (network security group)
# This will wrap up previously created rules (nsg-web-rule and nsg-rdp-rule) within an NSG
$nsg = New-AzureRmNetworkSecurityGroup `
-ResourceGroupName $ResourceGroupName `
-Location $location `
-Name nsg-1 `
-SecurityRules $nsgrdprule,$nsgwebrule
# This command will create a VNC (virtual network card) and associate it with public IP address and NSG
$nic = New-AzureRmNetworkInterface `
-Name nic-1 `
-ResourceGroupName $ResourceGroupName `
-Location $location `
-SubnetId $vnet.Subnets[0].Id `
-PublicIpAddressId $publicip.Id `
-NetworkSecurityGroupId $nsg.Id
# Define a credential object to store the username and password for the VM
$UserName='ali.mselmi'
$Password='P#ssword123'| ConvertTo-SecureString -Force -AsPlainText
$Credential=New-Object PSCredential($UserName,$Password)
Create the VM configuration object
$VmName = "VirtualMachinelatest"
$VmSize = "Standard_A1"
$VirtualMachine = New-AzureRmVMConfig `
-VMName $VmName `
-VMSize $VmSize
$VirtualMachine = Set-AzureRmVMOperatingSystem `
-VM $VirtualMachine `
-Windows `
-ComputerName "MainComputer" `
-Credential $Credential -ProvisionVMAgent
$VirtualMachine = Set-AzureRmVMSourceImage `
-VM $VirtualMachine `
-PublisherName "MicrosoftWindowsServer" `
-Offer "WindowsServer" `
-Skus "2016-Datacenter" `
-Version "latest"
# Sets the operating system disk properties on a VM.
$VirtualMachine = Set-AzureRmVMOSDisk `
-VM $VirtualMachine `
-CreateOption FromImage | `
Set-AzureRmVMBootDiagnostics -ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName -Enable |`
Add-AzureRmVMNetworkInterface -Id $nic.Id
Create the VM
Finnaly we can create the VM deployment configuration.
# Create the VM.
New-AzureRmVM `
-ResourceGroupName $ResourceGroupName `
-Location $location `
-VM $VirtualMachine
We can check the VM creation via the Azure portal:
Connect to the VM
To do a remote access into the VM that we created in the previous step, we need its public IP address also previously set up.
To do that, we just need to run the following command and get the public IP address:
Get-AzureRmPublicIpAddress `
-ResourceGroupName $ResourceGroupName | Select IpAddress
Now, we can do a remote desktop access after creating a Remote Desktop session with the VM, just you need replace the IP address with the publicIPAddress of your VM.
When prompted, you can login by using your credentials used when creating the VM.
`mstsc /v publicIpAddress`
Connect to the Azure VM with an RDP, SSH or Bastion
You can connect to the VM via RDP, SSH or Bastion, you just need to click to the created VM via Azure portal and then click connect.
Delete the VM
We can use the following command to remove the resource group that contains the VM and its related resources:
Remove-AzureRmResourceGroup `
-Name $ResourceGroupName
Final words...
The advantage of scripting the entire VM creation process is that often we don't need to create a single VM, but to create several, creating a script for the process gives us the flexibility to customize the VMs creation at large-scale.
Original blog post
Create a Windows Server virtual machine with PowerShell