PowerShell Remoting Kerberos Double Hop Solved but Get-Aduser fails

This topic contains 5 replies, has 5 voices, and was last updated by Profile photo of Max Kozlov Max Kozlov 5 months, 2 weeks ago.

  • Author
    Posts
  • #59710
    Profile photo of Alex Aymonier
    Alex Aymonier
    Participant

    So i have followed Ashley McGlone's article

    PowerShell Remoting Kerberos Double Hop Solved Securely

    I have managed to get the double hop working correctly using the following

    $ps = Get-ADComputer "PSJump01"
    $dc = Get-ADComputer "DC01"
    $cred = Get-Credential -UserName domain\administrator
    
    Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
    Test-Path \\$($using:dc.Name)\C$
    Get-Process lsass -ComputerName $($using:dc.Name)
    Get-EventLog -LogName System -Newest 3 -ComputerName $($using:dc.Name)
    }

    But if I try to use Get-Aduser from PSJump01 using the following it errors out

    PS C:\> Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
        
        Get-ADUser test.user
    }
    Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
        + CategoryInfo          : ResourceUnavailable: (test.user:ADUser) [Get-ADUser], ADServerDownException
        + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
        + PSComputerName        : PSJump01

    FYI if I open a console via vmware on PSJump01 I am able to run Get-Aduser just fine. Any ideas?

  • #59782
    Profile photo of Monte Hazboun
    Monte Hazboun
    Participant

    I'm assuming that you've set up constrained delegation only between PSJump01 and DC01. By chance, do you have multiple domain controllers in your environment? It's possible that Get-ADUser may be using a different available DC by default – it doesn't always default to the primary DC. If you try using the -server parameter and pointing specifically to DC01, do you get the same error?

    Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
        Get-ADUser test.user -server DC01
    }
    
  • #59785
    Profile photo of Mark Prior
    Mark Prior
    Participant

    have you tried importing the module in your script block ? possible its not loaded by default.

    
    Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock { 
    
    Import-module activedirectory
        
        Get-ADUser test.user
    }
    
    
  • #59833
    Profile photo of Tim Gearie
    Tim Gearie
    Participant

    I'm assuming that you've set up constrained delegation only between PSJump01 and DC01. By chance, do you have multiple domain controllers in your environment? It's possible that Get-ADUser may be using a different available DC by default – it doesn't always default to the primary DC. If you try using the -server parameter and pointing specifically to DC01, do you get the same error?

    We do have multiple domain controllers, but we have set up the delegation to work with each one of those DCs. Even with the DC entered directly in the script we get the same error.

    have you tried importing the module in your script block ? possible its not loaded by default.

    If we connect directly to the PSJump01 server we are able to run the cmdlet for Get-ADUser, however if we run it from a different server connecting to the PSJump01 server we get the Error Alex specified above.

    We are thinking that it might be something to do with the kerberos delegation within DCs. Any other thoughts?

    PS. Thanks for the responses to this question.

  • #59857
    Profile photo of Alex Aymonier
    Alex Aymonier
    Participant

    So it looks like you need to explicitly pass to the credentials to the remoting session and it works and this works. Thanks to Ashley for replying on his blog page.

    PS C:\> Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
        
        Get-ADUser test.user  -Credential $using:cred
    }
    
  • #59871
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    Looks like this delegation type only for some services 🙁
    Active Directory modules doesn't work on my tests. and Sharepoint too as states in the article comments

You must be logged in to reply to this topic.