I have a Powershell Azure Automation runbook that remotes into a machine to update some configuration. The runbook seems to work properly when run from Azure, but fails with an authentication error when run from a Hybrid Worker.
The whole reason for having the Hybrid Worker was so I could secure the PSRemoting ports to known hosts, so this is a bit of a bummer.
The main runbook is triggered via webhook, and that calls a child runbook using dot-notation, which calls...
$creds = Get-AutomationPSCredential -Name 'DeploymentCredentials'
$sessionOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
Invoke-Command -ConnectionUri "https://$($FQDN):5986" -Credential $creds -SessionOption $sessionOptions -ScriptBlock {
$h = hostname
Write-Output "Running on $h"
}
In this case, $FQDN is supplied as a parameter of course.
The error being reported is:
Connecting to remote server my-server.australiaeast.cloudapp.azure.com failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
CategoryInfo : OpenError: (my-server.au...udapp.azure.com:String) [], PSRemotingTransportException
FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
I can manually execute the same code from ISE without issue from the hybrid worker so I know it's not a firewall issue, and I have the credentials writing to the output window so I know they are correct too.
I presume this is something to do with the fact the PowerShell function executes under the system account?
Thx
Answering my own question for posterity.
Altering the Hybrid Worker Group to run using credentials for a machine admin allowed the setup to work; where using the "Default" credentials (System account I believe) did not.
I think in Windows the System account is not allowed to connect to other machines/services so this may be why, but I'm guessing there.