- This topic has 1 reply, 2 voices, and was last updated 8 months, 3 weeks ago by
October 26, 2019 at 6:01 am #185039ParticipantTopics: 1Replies: 0Points: 20Rank: Member
I’ve asked the Microsoft Developer Community this question but I haven’t had much success.
I am trying to create some automation tests with a vNext Build Definition in which the build agent RemotePSSession into a non-domain virtual machine (the test machine) and runs a batch file that can take several arguments. This batch file may read (installer files) or write (reports) to a network share that is on the domain. The issue that I am coming across is the second hop issue. Here is an article about it: https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
In my instance, the PowerShell Remote Session is not able to pass the credentials we have authenticated previously in the test machine to access the network share’s resources. We have tried using CredSSP authentication on both the agent and the test machine to enable access but that has failed. The Net Use and other commands which call domain resources have also failed. We’ve even tried modifying the custom task PowerShell on Target Machines task and did not have much luck with it.
From what we have discovered is that there is no way to access the domain network shares with RemotePSSession with the following topology: Server A (which is in the domain or workgroup) ⇒ RemotePSSession + CredSSP into Server B (which is non-domain), using a local admin Server B account ⇒ Calls the network shares, with Net Use using some domain account.
It seems that the second hop only works for domain-joined machines (we have been testing it CredSSP using as well).
Let us know if there is a solution or workaround that we can implement.
Their response was >> If you can make sure the method is correct and the issue is caused by DevOps, we will be happy to help you with your issues about DevOps. Here are some documents might be helpful: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6.
I’ve looked at this documentation before and I haven’t had much success, does anyone else have any suggestions?
October 26, 2019 at 6:12 am #185078Senior ModeratorTopics: 9Replies: 1244Points: 4,480Rank: Community Hero
You might wanna check psexec, you can try using psexec.exe directly from Server a targetting server B to execute script/command
use psexec via Invoke-Command to connect to share. (Invoke-Command from Server A to B and from B execute code to access share using psexec )
- The topic ‘vNext Work Around for Second Hop Issue on NonDomain Machines’ is closed to new replies.