locked
Getting around the double hop authentication issue using credssp RRS feed

  • Question

  • Hi,

    I have a simple Ps script, which runs on ServerA, connects to server B and then tries to copy a file from a share which is on another server onto server B.

    Its hitting Permission issues and i know its to do with the double hop issue, loads of info on this forum however the post i found, the links are now dead, i just need an explanation or a link where i can read exactly what needs to be done to make this work.

    When I login to Server B and do a "Run As" using thesame account that my script runs as in ServerA, the copy works well so i am convinced its to do with delegation/double hop issue.

    Thanks.

    Tuesday, July 23, 2019 11:24 PM

All replies

  • You will have to configure CredSSP to bypass the double-hop restriction. This restriction is a security measure.

    help credssp


    \_(ツ)_/

    Wednesday, July 24, 2019 12:18 AM
  • Hi,

    Thanks for your question.

    Please refer the link below:

    https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

    You can try some different solutions to solve double hop problem. CrepSSP is not totally secure.

    Resource-Based Kerberos Constrained Delegation may be a better solution.

    Best regards,

    Lee


    Just do it.

    Wednesday, July 24, 2019 2:32 AM
  • CredSSP is as secure as you wish to make it. It is also much easier to implement.

    To be secure it is always best to use correct delegation of rights and permissions.  That would be first choice.  Constrained endpoints is good for persistent management access to resources however it takes some learning to set up correctly.

    For file copies none of this is necessary but will require copying twice.  This is fine for smaller files.

    The key is to define your needs and then choose the method.


    \_(ツ)_/

    Wednesday, July 24, 2019 2:45 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Wednesday, July 31, 2019 6:57 AM