Understanding and Avoiding Double-Hop

by Jan 10, 2018

When a script is executed remotely, you can run into “Access Denied” issues that often are related to the double-hop issue. Here is an example, and then we illustrate how to work around it:

$target = 'serverA'

$code = {
    # access data from another server with transparent authentication
    Get-WmiObject -Class Win32_BIOS -ComputerName serverB
}

Invoke-Command -ScriptBlock $code -ComputerName $target

The script above executes PowerShell code on ServerA server. The remotely executed code then tries to contact ServerB to retrieve BIOS information. Don’t worry about whether this makes sense or not. What matters is that the remotely executed code cannot transparently log on to ServerB, even though the user that initiated this can contact ServerB directly.

The double-hop issue occurs when your authentication is not handed over from a remote computer to another remote computer. Double-hopping is disabled by default for any non-DomainController machine.

If you want the code above to work, you need to use CredSSP for authentication (which is also used by Remote Desktop). This requires to once setup a trust relationship between you and the computer you directly contact (in this example ServerA):

#requires -RunAsAdministrator

$TargetServer = 'ServerA'

# configure the computer you directly connect to
Invoke-Command -ScriptBlock { 
    Enable-WSManCredSSP -Role Server -Force | Out-String
    } -ComputerName $TargetServer 
    
# establish CredSSP trust
Enable-WSManCredSSP -Role Client -DelegateComputer $TargetServer -Force

Once this trust exists, you can use CredSSP and circumvent the double-hop issue. Here is how you run the code remotely with CredSSP enabled:

Invoke-Command -ScriptBlock $code -ComputerName $target 
-Authentication Credssp -Credential mydomain\myUser

When you use CredSSP, you can no longer transparently logon. Instead, you must use –Credential to specify the user account.

Twitter This Tip! ReTweet this Tip!