Click here to Skip to main content
15,879,490 members
Search within:


Articles / Programming Languages / PowerShell
 
Tip/Trick

Resolve Double-Hop Issue in PowerShell Remoting

Rate me:
Please Sign up or sign in to vote.
5.00/5 (2 votes)
26 Nov 2014CPOL2 min read 71.4K   1  
Describes how to resolve the 'Double-Hop' issue in PowerShell remoting and how to troubleshoot issues we may meet.

Introduction

What is the 'Double-Hop' issue in PowerShell remoting? Let me give an example.

Suppose there are 3 machines named as M1, M2 and M3. Tom can enter a remote PowerShell session from M1 to manage M2 using his credential. Additionally, there is a shared folder on M3 with the UNC path - \\M3\Shared. Tom can access \\M3\Shared in Windows Explorer on both M1 and M2 using the same credential. Now we have the question: Is Tom able to access \\M3\Shared in his remote PowerShell session?

The answer is NO. The root cause is that Tom's credential can be passed from M1 to M2 but cannot be passed the second time from M2 to M3. This is the 'Double-Hop' issue in Windows authentication.

Solution

I assume you have already enabled PowerShell remoting successfully. If not, please refer to this article for setup steps.

The solution includes the following steps. Let me still use M1, M2 and M3 as machine names:

Step#1: Enable CredSSP on M1 to delegate your credentials to M2.

Enable-WSManCredSSP Client –DelegateComputer M2

Step#2: Allow incoming CredSSP connections on M2.

Enable-WSManCredSSP Server

Step#3: Enter a PowerShell remote session from M1 to manage M2 using CredSSP and your credentials.

Enter-PSSession M2 -Authentication CredSSP -Credential Tom

Now you should be able to access \\M3\Shared in the remote PowerShell session.

Important Troubleshooting

When you have applied the solution and try again on M1, you may encounter the following problem.

Image 1

The following steps can fix this problem:

  1. Run gpedit.msc on M1.
  2. Expand to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation.
  3. Double click Allow Delegating Fresh Credentials.
  4. Enable Allow Delegating Fresh Credentials.
  5. Click Show... and add wsman/M2.
  6. Click several OK to close the popup dialogs.
  7. If this still does not work, do the same to Allow Delegating Fresh Credentials with NTLM-only Server Authentication.

References

Reference links are listed below:

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Zhuyun Dai
Architect
China China
Over 10-years experience in using Microsoft technologies.
At present, working as the architect of a clustered real-time data delivery and visualization system, responsible for the design of component architecture, product packaging and deployment, also targeting private cloud solutions for future.

Comments and Discussions

 
 
-- There are no messages in this forum --
Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 26 Nov 2014

Article Copyright 2014 by Zhuyun Dai
Everything else Copyright © CodeProject, 1999-2024

Web04 2.8:2024-04-02:1