vNext Work Around for Second Hop Issue on NonDomain Machines

Welcome Forums General PowerShell Q&A vNext Work Around for Second Hop Issue on NonDomain Machines

Viewing 1 reply thread
  • Author
    Posts
    • #185039
      Participant
      Topics: 1
      Replies: 0
      Points: 20
      Rank: Member

      I've asked the Microsoft Developer Community this question but I haven't had much success.

      I am trying to create some automation tests with a vNext Build Definition in which the build agent RemotePSSession into a non-domain virtual machine (the test machine) and runs a batch file that can take several arguments. This batch file may read (installer files) or write (reports) to a network share that is on the domain. The issue that I am coming across is the second hop issue. Here is an article about it: https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

      In my instance, the PowerShell Remote Session is not able to pass the credentials we have authenticated previously in the test machine to access the network share's resources. We have tried using CredSSP authentication on both the agent and the test machine to enable access but that has failed. The Net Use and other commands which call domain resources have also failed. We've even tried modifying the custom task PowerShell on Target Machines task and did not have much luck with it.

      From what we have discovered is that there is no way to access the domain network shares with RemotePSSession with the following topology: Server A (which is in the domain or workgroup) ⇒ RemotePSSession + CredSSP into Server B (which is non-domain), using a local admin Server B account ⇒ Calls the network shares, with Net Use using some domain account.

      It seems that the second hop only works for domain-joined machines (we have been testing it CredSSP using as well).

      Let us know if there is a solution or workaround that we can implement.

      Their response was >> If you can make sure the method is correct and the issue is caused by DevOps, we will be happy to help you with your issues about DevOps. Here are some documents might be helpful: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6.

      I've looked at this documentation before and I haven't had much success, does anyone else have any suggestions?

    • #185078
      Senior Moderator
      Topics: 8
      Replies: 1141
      Points: 3,928
      Helping Hand
      Rank: Community Hero

      You might wanna check psexec, you can try using psexec.exe directly from Server a targetting server B to execute script/command

      or

      use psexec via Invoke-Command to connect to share. (Invoke-Command from Server A to B and from B execute code to access share using psexec )

Viewing 1 reply thread
  • You must be logged in to reply to this topic.