Double hop permissions?

This topic contains 2 replies, has 3 voices, and was last updated by  Dave Wyatt 3 years, 6 months ago.

  • Author
    Posts
  • #13340

    René Nielsen
    Participant

    I am troubleshooting what I think is a Kerberos double-hop permissions issue. Here's the setup:

    Server1 = Windows Server 2008 R2
    Client1 = Windows 7

    The account context in use is the same account on both systems and this account is in the local Administrators group.

    On Server1 I have created a symbolic link to a folder on Client1 as follows:
    MKLink /D c:\workspace \\Client1\c$\workspace

    On Client1 I attempt a remote access to Server1 and, via the symbolic link back to the target folder as follows:
    enter-pssession Server1
    set-location c:\workspace
    get-Childitem
    This last command returns:
    "Access to the path c:\workspace is denied.
    PermissionDenied"

    Note that there is no issue executing Get-ChildItem on the target remotely linked folder while logged directly onto Server1.

    I have attempted to resolve the issue with Enable-WSManCredSSP on Client1 as the "Client" Role and on Server1 as the "Server" Role but to no avail.

    I have not as yet requested that the Active Directory record for Server1 be granted rights to delegate. Will try that next but if anyone has any suggestions other than that please let me know.

    TIA

  • #13341

    Richard Siddaway
    Moderator

    Is the account you are using a domain account or a local account?

    With credSSP enabled have you tried accessing the folder on server1 directly rather than through the link?
    The other obvioius question to ask is do you really need to go through client1 or can you go direct to server1?

  • #13342

    Dave Wyatt
    Moderator

    You need to add the "-Authentication Credssp" argument to Enter-PSSession. It's not enough to just enable that feature on the client and server; you also have to specify that as your connection mechanism for any remoting connections that need to use it.

You must be logged in to reply to this topic.