Specific Double-Hop GPO Exceptions (CredSSP)

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Josh Wright Josh Wright 1 week, 1 day ago.

  • Author
    Posts
  • #68178
    Profile photo of Josh Wright
    Josh Wright
    Participant

    Hi All,

    We have decided to disable the use of CredSSP in our organisation due to security concerns and are therefore not able to perform any double hops. In most cases this is fine, but a scenario has now arisen where we would like to add an exception to allow specified servers/workstations to use CredSSP.

    The reason for this, is that we use the SolarWinds PowerShell checker to monitor certain things. We recently tried to monitor the status of a Lync 2010 federation by using a PowerShell script. The script works great locally, but fails from SolarWinds and when ran remotely.

    It turns out that the command "Test-CsFederatedPartner" needs to get some information from AD, which causes a Double-Hop and therefore fails.

    Is there anyway to add an exception to a GPO that says something like "Allow solarwinds.consoto.com to use CredSSP on all machines". Similar to a trusted site etc.

    I am probably asking for too much, but would really appreciate any exceptions!

  • #68256
    Profile photo of Monte Hazboun
    Monte Hazboun
    Participant

    Is there a specific reason that you can't use Kerberos constrained delegation? I'm not aware of any way to generate an exception list for CredSSP.

You must be logged in to reply to this topic.