Author Posts

March 14, 2018 at 12:20 pm

Hi,

I have a VM that is in a domain. It connects to several other VMs that are not (New-PSSession). I have added the computer names and the IP addresses to TrustedHosts. The IP addresses are dynamic however. I found that I can use the computer names but not always, probably not when the IP is different from the one in TrustedHosts.
I always can Test-Connection and get a positive, even when remoting does not work. Why is that? Is it an option to get the IP address from Test-Connection and update TrustedHosts with it dynamically? What other alternatives might there be?
Thanks

March 14, 2018 at 6:37 pm

Test-Connection is just a ping. Remoting uses a very robust authentication and mutual trust system, not just a ping.

And yes, you could dynamically updated TrustedHosts. It's not a stellar idea. The system you've got in place would be very easy for an attacker to exploit. What you should be doing is equipping those remote machines with HTTPS endpoints, disabling their HTTP endpoints, and using a trusted SSL certificate. Tell Remoting to -UseSSL, and then you don't need to manage TrustedHosts at all.

March 14, 2018 at 7:27 pm

This is not a PoSH specific issue, it is a Windows Security boundary.

See these articles.

PowerShell Remoting and the “Double-Hop” Problem
'blogs.msdn.microsoft.com/clustering/2009/06/25/powershell-remoting-and-the-double-hop-problem'

PowerShell Remoting and Kerberos Double Hop: Old Problem – New Secure Solution
'blogs.technet.microsoft.com/ashleymcglone/2017/04/12/powershell-remoting-and-kerberos-double-hop-old-problem-new-secure-solution'

PowerShell Remoting Kerberos Double Hop Solved Securely
'blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely'

March 15, 2018 at 12:10 pm

No escaping the certificate. Just to make sure I got the steps right, Don.
1. Create individual certificates for each VM
2. Import each certificate on the (local or VM) machine that wants to connect to these VMs.
3. Enable the https endpoint on all machines that need to connect (local and VM)

The double hop links were informative, thanks postanote.