Exchange 2013 Remote Powershell – SSL

A customer of mine called me and told me that he wanted a remote PowerShell connection to his brand new Exchange 2013 SP1 servers. The one caveat was that he wanted the connection to be secure. For those of you in the Office 365 world, your connections to the cloud, via PowerShell can be made secure and SSL is allowed by default:

$LiveCred = Get-Credential
$Session = New-PSSession -name ExchangeOnline -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session


Note the ConnectionUri is HTTPS and that the Authentication method is Basic.

So the customer had attempted to enable this by using PowerShell to force the PowerShell Virtual Directory to accept only SSL connections.

set-PowerShellVirtualDirectory -server ex01 -requiressl $true

This kills local PowerShell access:

SSL-PSRemote03
So how do we fix this if we cannot run PowerShell commands to fix the PowerShell Virtual Directory? IIS Manager. If we review the settings on the PowerShell virtual directory we see that ‘Require SSL’ is checked:

SSL-PSRemote02

Simple uncheck the box and click apply.

SSL-PSRemote01

OK. Local Exchange PowerShell is now working.

Now how do we enable SSL remote PowerShell? While researching this you will notice that there is a lot of information out there on Exchange remote PowerShell, but almost all of it concentrated on the basics of enabling it for general use and not specifically for SSL. First steps, lets make sure we can do PowerShell remoting over HTTP:
Verify it’s enabled:

Enter-PSSession -ComputerName localhost

If you receive an error, then PowerShell remoting can be enabled with this command:

enable-psremoting

Choose ‘A’ for the answer to the two questions:

SSL-PSRemote04
Now that we have PowerShell enabled, verify the user account you want to connect with has access:

get-user <alias> |ft displayname,*power*

If the result is True, then the user has permission to connect remotely via PowerShell.
What about SSL? Let’s see what happens by default:

New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<exchange server FQDN>/PowerShell/ -Credential (Get-credential) -authentication kerberos

** Note ** Using Basic for Authentication method will cause the connection to fail. Either have no Authentication defined, or choose something like kerberos in our example.
You will be prompted for credentials and allowed to connect. If however the connectionURI contains HTTPS and not HTTP, it will fail.

New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<exchange server FQDN>/PowerShell/ -Credential (Get-credential) -authentication kerberos

SSL-PSRemote09
So what is the fix? IIS Authentication. The PowerShell virtual directory has no authentication settings configured

get-PowerShellVirtualDirectory -server <Exchange Server> |fl *auth*

SSL-PSRemote06
Notice that no authentication is configured by default. Let’s enable Basic Authentication as this will allow us to use an SSL connection to remotely connect via Powershell.

get-powershellvirtualdirectory -server <exchange server> | set-PowerShellVirtualDirectory -basicauthentication $true

SSL-PSRemote07
Now that we have verified PowerShell Remoting is enabled, that our user account has access and that Basic Authentication is enabled, we should be able to connect via HTTPS:

SSL-PSRemote08
So there you have it. We now have a successful connection to our remote Exchange 2013 server over HTTPS.

Advertisements

2 thoughts on “Exchange 2013 Remote Powershell – SSL

  1. I do not know who you are.. but God Bless You. 😀

    I have been struggling with remote powershell for exchange server, and this has solved it.

    Have one doubt though:

    I am trying to establish a PSSession with exchange server 2013 via remote shell. And thanks to you I’m able to do so, but with Basic authentication.

    When I try to do with kerberos authentication, I get the following error:
    New-PSSession : [servername] Connecting to remote server servername failed with the following error message : Logon failure: unknown user name or bad password.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s