We are trying to move some automations from PowerShell ISE to Azure Automation using a hybrid worker to our on-prem Bentley utility server.
In PowerShell ISE both a logical account and IMS account work with New-PWLogin.
In Azure Runbooks a logical account will work with New-PWLogin but the IMS does not.
Here is the PowerShell and its result from Runbooks:
Source:
$cred = Get-AutomationPSCredential -Name 'Acct'
$pass = $cred.Password
$SourceDatasource = 'server:datasource'
$Splat_LoginSource = @{
DatasourceName = $SourceDatasource
UserName = 'Acct'
Password = $pass
UseGUI = $false
BentleyIMS = $true
}
New-PWLogin @Splat_LoginSource
Result:
Can't get BTSSvc.URL Could not retrieve BTSSvc.URL Error logging in to 'Server:Datasource' 58000. Attempting to use token '' FalseCan anyone help us to understand what may be happening?
Hmm. I'm surprised that's working at all. BentleyIMS should be false in the above case where you provide logical creds. You need a PWC client install in order to use PowerShell so it's just not designed for working in a serverless scenario.
I have designed Request-PWRemoteScriptExecution for this case. Might be worth a look. I think the help is pretty self-explanatory.
Thanks for the reply Dave!
Just for clarification, within Azure Automation we are using a Hybrid Worker, which uses a Log Analytics Agent installed on our \\Bentley-Server-01 to pass the runbook (PS script) locally and run on a local ISE instance. PWC is installed there. This script below, when run from Azure Automation, actually yielded a true result for a logical admin account:
But once we got to the Bentley IMS account, using those -BentleyIMS $True -UseGUI $False switches we were getting those errors Jeff listed above, when using Azure Automation.
The exact script Jeff posted above for a Bentley IMS account worked locally in PS ISE on our \\Bentley-Server-01. I will give Request-PWRemoteScriptExecution a spin and let you know how it works!
OK. That scenario sounds like it'll work. I'm not sure why you would want to use an IMS login, but if you do, you should use Get-PWNonFederatedLoginToken (you'll have to establish a non-federated IMS account within your IMS Organization) and pass it in the -Token parameter in New-PWLogin. You will set -BentleyIMS to true in that case.
Perfect. The advantage in using an IMS identity, in my relative ignorance, is that its a managed AD account. I've always heard that logical admin accounts would eventually go away, that may be another advantage, not sure.
Jeff
Eliminating logical accounts may be an eventual goal, but they are certainly available now. No reason not to use them. By the time they are eliminated, I expect we'll have migrated to a completely different identity management system (no telling what that will be). Note that in your configuration, you should be using the 10.0.3.334 client to avoid SES licensing issues with non-interactive logins.