I´m currently trying to figure out what´s the best way to set up a PowerShell Jump Server for a Server Environment.
My Idea is to use PowerShell Web Access.
Now my question is, how to circumvent the second hop Problem the best way.
As far as I understand, if I use PSWA to connect to the jump Server (let´s call it Server A), which is also Hosting PSWA I´m using PSRemoting.
Now if I want to connect to another server (Server B) for fan out scripts etc. I Need to get my credentials to server B.
Do I understand it right, that I need to enable the Client-Side of CredSSP on the Jump Server (Server A) and the Server-Side on Server B, because I´m providing my Credentials to log in to server A with the PSWA Login?
Would Kerberos Delegation be a better way to circumvent the second hop Problem? As I understand it, I can give Server A the right to "impersonate" me and use my credentials natively to connect to server B.
How are you configuring your Jump Servers?
Are you using PSWA, direct PSRemoting to the JumpServer or RDP into the jump Server?
Correct. You HTTP to PWA, which then opens a WS-MAN channel to whatever machine you're managing, even if it's the same machine PWA is on. Using PWA always engages the first hop.
And yes, PWA would be the client role of CredSSP, and the remote server you're managing would be the server. PWA is impersonating you, which means it's logging in as you directly.
Kerberos Delegation is another option. I'm not sure if it's "better" or not, but it's probably more centrally manage-able. Youtube.com/powershellorg, at the first N.A. Summit, has a video on Kerberos delegation, I think.