Use CredSSP to Fight Double-Hop Networking Issues

by Jul 22, 2016

PowerShell 2+

If you do PowerShell remoting, you may have experienced “double-hop” problem. It occurs when you try to pass on your identity from the remote code to a 3rd party. Simple example: the remote code wants to access a file share and needs to authenticate again. This fails.

One way of passing on your authentication info is to use CredSSP, a technology that is used with Remote Desktops, too. It requires a minimal setup both on client and server.

On the server, you need to enable CredSSP:

Enable-WSManCredSSP -Role Server -Force

And on the client, you do the same:

Enable-WSManCredSSP -Role Client -DelegateComputer server123

Now your client and the server “server123” trust each other and can use CredSSP. The next line would execute a script block on the server, and the script block could now pass on your credentials to authenticate elsewhere:

Invoke-Command -ScriptBlock $code -ComputerName server123 -Authentication Credssp -Credential myCompany\myUser

Why is CredSSP not enabled by default? Because “double hopping” is risky business. If the server was hijacked by someone evil, that person could now use your identity to do things on behalf of you. So use this with care, and use it in safe environments only.

Twitter This Tip! ReTweet this Tip!