Remoting cross domain

This topic contains 3 replies, has 3 voices, and was last updated by  Emil Tanev 2 months, 1 week ago.

  • Author
    Posts
  • #95897

    Emil Tanev
    Participant

    Hi,

    I have a VM that is in a domain. It connects to several other VMs that are not (New-PSSession). I have added the computer names and the IP addresses to TrustedHosts. The IP addresses are dynamic however. I found that I can use the computer names but not always, probably not when the IP is different from the one in TrustedHosts.
    I always can Test-Connection and get a positive, even when remoting does not work. Why is that? Is it an option to get the IP address from Test-Connection and update TrustedHosts with it dynamically? What other alternatives might there be?
    Thanks

  • #95964

    Don Jones
    Keymaster

    Test-Connection is just a ping. Remoting uses a very robust authentication and mutual trust system, not just a ping.

    And yes, you could dynamically updated TrustedHosts. It's not a stellar idea. The system you've got in place would be very easy for an attacker to exploit. What you should be doing is equipping those remote machines with HTTPS endpoints, disabling their HTTP endpoints, and using a trusted SSL certificate. Tell Remoting to -UseSSL, and then you don't need to manage TrustedHosts at all.

    • #96011

      Emil Tanev
      Participant

      No escaping the certificate. Just to make sure I got the steps right, Don.
      1. Create individual certificates for each VM
      2. Import each certificate on the (local or VM) machine that wants to connect to these VMs.
      3. Enable the https endpoint on all machines that need to connect (local and VM)

      The double hop links were informative, thanks postanote.

  • #95975

    postanote
    Participant

    This is not a PoSH specific issue, it is a Windows Security boundary.

    See these articles.

    PowerShell Remoting and the “Double-Hop” Problem
    'blogs.msdn.microsoft.com/clustering/2009/06/25/powershell-remoting-and-the-double-hop-problem'

    PowerShell Remoting and Kerberos Double Hop: Old Problem – New Secure Solution
    'blogs.technet.microsoft.com/ashleymcglone/2017/04/12/powershell-remoting-and-kerberos-double-hop-old-problem-new-secure-solution'

    PowerShell Remoting Kerberos Double Hop Solved Securely
    'blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely'

You must be logged in to reply to this topic.