vNext Work Around for Second Hop Issue on NonDomain Machines RRS feed

  • Question

  • I've asked the Microsoft Developer Community this question but I haven't had much success.

    I am trying to create some automation tests with a vNext Build Definition in which the build agent RemotePSSession into a non-domain virtual machine (the test machine) and runs a batch file that can take several arguments. This batch file may read (installer files) or write (reports) to a network share that is on the domain. The issue that I am coming across is the second hop issue. Here is an article about it: https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

    In my instance, the PowerShell Remote Session is not able to pass the credentials we have authenticated previously in the test machine to access the network share’s resources. We have tried using CredSSP authentication on both the agent and the test machine to enable access but that has failed. The Net Use and other commands which call domain resources have also failed. We’ve even tried modifying the custom task PowerShell on Target Machines task and did not have much luck with it.

    From what we have discovered is that there is no way to access the domain network shares with RemotePSSession with the following topology: Server A (which is in the domain or workgroup) ⇒ RemotePSSession + CredSSP into Server B (which is non-domain), using a local admin Server B account ⇒ Calls the network shares, with Net Use using some domain account.

    It seems that the second hop only works for domain-joined machines (we have been testing it CredSSP using as well).

    Let us know if there is a solution or workaround that we can implement.

    Their response was >> If you can make sure the method is correct and the issue is caused by DevOps, we will be happy to help you with your issues about DevOps. Here are some documents might be helpful: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6.

    I've looked at this documentation before and I haven't had much success, does anyone else have any suggestions?

    Monday, October 28, 2019 11:41 PM

All replies

  • CredSSP cannot pass credentials if the middle host does not allow it.

    Start by simplifying you request and posting only the code and step that fails.  It is almost always the case the first failure is the one that has the helpful exception.

    Refusals from other sites that you have asked do not count as exceptions.  Technical question cannot be answered from a rambling narrative.  You must provide accurate and detailed steps that cause the first exception as well as the exact exception.

    Read the following to get some help with how to do this: How to ask questions in a technical forum


    Tuesday, October 29, 2019 12:01 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 8, 2019 1:05 PM
  • Simplying my request.

    I have a vNext agent (Server A), telling a test machine (Server B) to access a UNC path (Server C). CredSSP is enabled on client and server side and we are trying to send the following code via PS Remote Session.

    #serverA - local machine
    #serverB - $remoteServer
    #serverC - DFS namespace server
    $session = New-PSSession -ComputerName $remoteServer -Credential $credential -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -Authentication Credssp
    $scriptBlock_runFile = {
        #Scenario 0 which works:
        #Scenario 1 which doesn't work:
        #& dir \\contoso.com\departments\folder"
        #Scenario 2 which doesn't work:
        #& net use x: \\contoso.com\departments\folder /user:CONTOSO\user "password"
    Invoke-Command -Session $session -ScriptBlock $scriptBlock_runFile

    Let me know if I can make this more clear. 

    Wednesday, November 13, 2019 11:21 PM