Solving Double Hop Remoting with CredSSP

by Oct 19, 2016

In a previous tip we illustrated the double hop problem that can occur in remoting when your remote code tries to authenticate against a third party.

You can allow passing on your credentials when you establish a trust between client and server (which needs to be done only once and requires Administrator privileges).

On the client, run this:

Enable-WSManCredSSP -Role Client -DelegateComputer nameOfServer

And on the server, execute this:

Enable-WSManCredSSP -Role Server

When you now send PowerShell code from the client to the server and execute it, the server is authorized to pass on your credentials to third parties, so the remote code would be able to authenticate against a file server and access its shared folder:

#requires -Version 3.0

$code = 
  Get-ChildItem -Path  \\fls01\#TRAIN1\PowerShell\Class  

Invoke-Command -Authentication Credssp -ScriptBlock $code -ComputerName nameOfServer -Credential myCompany\myName

Note that when you use the CredSSP authentication, you must submit explicit credentials (using -Credential) and can no longer transparently pass your current identity via Kerberos.

Twitter This Tip! ReTweet this Tip!