Specific Double-Hop GPO Exceptions (CredSSP)

Welcome Forums General PowerShell Q&A Specific Double-Hop GPO Exceptions (CredSSP)

Viewing 1 reply thread
  • Author
    • #68178
      Topics: 3
      Replies: 5
      Points: 21
      Rank: Member

      Hi All,

      We have decided to disable the use of CredSSP in our organisation due to security concerns and are therefore not able to perform any double hops. In most cases this is fine, but a scenario has now arisen where we would like to add an exception to allow specified servers/workstations to use CredSSP.

      The reason for this, is that we use the SolarWinds PowerShell checker to monitor certain things. We recently tried to monitor the status of a Lync 2010 federation by using a PowerShell script. The script works great locally, but fails from SolarWinds and when ran remotely.

      It turns out that the command “Test-CsFederatedPartner” needs to get some information from AD, which causes a Double-Hop and therefore fails.

      Is there anyway to add an exception to a GPO that says something like “Allow solarwinds.consoto.com to use CredSSP on all machines”. Similar to a trusted site etc.

      I am probably asking for too much, but would really appreciate any exceptions!

    • #68256
      Topics: 1
      Replies: 15
      Points: 0
      Rank: Member

      Is there a specific reason that you can’t use Kerberos constrained delegation? I’m not aware of any way to generate an exception list for CredSSP.

Viewing 1 reply thread
  • The topic ‘Specific Double-Hop GPO Exceptions (CredSSP)’ is closed to new replies.