I am looking to enable PowerShell Remoting in my new company and have always previously just enabled CredSSP to resolve the Second Hop issue.
I then came across a Presentation from Lee Holmes where he addresses this with the two potential options:
–Update the permissions on the remote resource (i.e.: file server) to grant access to the machine account of the remoting host rather than the users.
–Provide explicit credentials to remote resources. For example, New-PSDrive \\FileServer\Share –Credential (…), or net use \\FileServer\Share
I thought that this was an interesting solution and would be a quick fix.
This does not seem to work, even when adding the ANONYMOUS USER to the permissions.
I then came across a method that creates a Custom PSSessionConfiguration and sets a RunAsUser and stores the password.
Does anyone have any suggestions to this topic as the CredSSP appears to create a significant security vulnerability.
I have scoured Google, but am flooded with the basics.
Would love to hear some creative ideas!
When you're crossing domain boundaries, there aren't any great options – custom PSSessionConfigurations probably being the best of the lot. You can also look into configuring Kerberos delegation in AD – but obviously, only within a domain, and it's a domain-wide thing, so it's not super-granular.
i struggled with this for a long time a couple of years ago also, and as you say most of what is around is basics & points you back in the direction. So far i have just continued to use CredSSP, can you post a link to the custom PSSession stuf you found, would mind a read
Appreciate your input on this!
We are not actually crossing domain boundaries – this is purely PS remoting to domain joined PCs and Servers all in one domain.
Regarding the Kerberos Delegation, am I correct in thinking that this would have to be done domain wide to allow all PCs and Servers to delegate my credentials?
@mark, see below for the link to the article I used.
Register-PSSessionConfiguration -Name Remoting -RunAsCredential domain\remotinguser
This then prompts for a password, which is then stored as a secure string.
I just feel like this might be better than passing the Hash of my own account that has local admin permissions to servers and workstation, plus other permissions.
Then to use it, run the following:
Enter-PSSession -ComputerName DC -ConfigurationName Remoting
Or am I just over complicating this and should trust CredSSP with the Trusted hosts setting of *.domain.local ?
I also ran into the double hop problem when setting up PowerShell Web Access. I ended up using the same solution as you did, with making a separate config for our admins to use RunAsCredential with. The only annoying thing with this is that they need to update the PSSessionConfiguration every time they change their password.
Do you have the Windows Remote Management Framework on your servers? I am able to do an enter-pssession to other servers without entering a config name or credential while logged in with domain account. You may just need to setup your main admin server as a TrustedHost
Try this for solving the double hop issue securely:
Thank you very much for the notice Ashley!
You must be logged in to reply to this topic.