Author Posts

December 7, 2016 at 10:27 pm

So i have followed Ashley McGlone's article

PowerShell Remoting Kerberos Double Hop Solved Securely

I have managed to get the double hop working correctly using the following

$ps = Get-ADComputer "PSJump01"
$dc = Get-ADComputer "DC01"
$cred = Get-Credential -UserName domain\administrator

Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
Test-Path \\$($using:dc.Name)\C$
Get-Process lsass -ComputerName $($using:dc.Name)
Get-EventLog -LogName System -Newest 3 -ComputerName $($using:dc.Name)
}

But if I try to use Get-Aduser from PSJump01 using the following it errors out

PS C:\> Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
    
    Get-ADUser test.user
}
Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
    + CategoryInfo          : ResourceUnavailable: (test.user:ADUser) [Get-ADUser], ADServerDownException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
    + PSComputerName        : PSJump01

FYI if I open a console via vmware on PSJump01 I am able to run Get-Aduser just fine. Any ideas?

December 8, 2016 at 2:24 pm

I'm assuming that you've set up constrained delegation only between PSJump01 and DC01. By chance, do you have multiple domain controllers in your environment? It's possible that Get-ADUser may be using a different available DC by default – it doesn't always default to the primary DC. If you try using the -server parameter and pointing specifically to DC01, do you get the same error?

Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
    Get-ADUser test.user -server DC01
}

December 8, 2016 at 2:45 pm

have you tried importing the module in your script block ? possible its not loaded by default.


Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock { 

Import-module activedirectory
    
    Get-ADUser test.user
}

December 8, 2016 at 9:11 pm

I'm assuming that you've set up constrained delegation only between PSJump01 and DC01. By chance, do you have multiple domain controllers in your environment? It's possible that Get-ADUser may be using a different available DC by default – it doesn't always default to the primary DC. If you try using the -server parameter and pointing specifically to DC01, do you get the same error?

We do have multiple domain controllers, but we have set up the delegation to work with each one of those DCs. Even with the DC entered directly in the script we get the same error.

have you tried importing the module in your script block ? possible its not loaded by default.

If we connect directly to the PSJump01 server we are able to run the cmdlet for Get-ADUser, however if we run it from a different server connecting to the PSJump01 server we get the Error Alex specified above.

We are thinking that it might be something to do with the kerberos delegation within DCs. Any other thoughts?

PS. Thanks for the responses to this question.

December 9, 2016 at 2:20 am

So it looks like you need to explicitly pass to the credentials to the remoting session and it works and this works. Thanks to Ashley for replying on his blog page.

PS C:\> Invoke-Command -ComputerName $ps.Name -Credential $cred -ScriptBlock {
    
    Get-ADUser test.user  -Credential $using:cred
}

December 9, 2016 at 8:24 am

Looks like this delegation type only for some services 🙁
Active Directory modules doesn't work on my tests. and Sharepoint too as states in the article comments