PowerShell, Remoting, Scripting
Published on February 18, 2010
comments 36

PowerShell 2.0 remoting guide: Part 12 – Using CredSSP for multi-hop authentication

written by Ravikanth
I’ve published a free book on PowerShell 2.0 remoting. You can download it at:
Layman's guide to PowerShell 2.0 remoting 44791 downloads
In this part of the remoting series, we look at how CredSSP can be used for multi-hop authentication in PowerShell remoting. CredSSP and multi-hop support are not features of PowerShell 2.0 or PowerShell remoting, per se. Credential Security Service Provider (CredSSP) is a new security service provider that enables an application to delegate the user’s credentials from the client to the target server. Multi-hop support in Windows Remote Management uses CredSSP for authentication. Since PowerShell 2.0 remoting is built on top of WinRM, we can use CredSSP to perform multi-hop authentication.

So, what is multi-hop authentication?

Well, let us look at an example to understand what is multi-hop authentication. Imagine a group of computers as shown here and you establish a remoting session from computer A (client) to computer B (server) and then from computer B, you try to create a file in a file share on computer C.

CredSSP example CredSSP example

Now, within the remoting session to computer B, we want to execute a command — as below — to create test.txt on computer C.

Error without CredSSP Error without CredSSP

This command results in an “Access Denied” error as shown above. This command fails since the remote session tries to access the file share using the machine credentilas instead of the credentials used to invoke the remote session. We could have successfully created the text file if there was a way to pass or delegate credentials from the client so that we can authenticate to the file share. This is what is called multi-hop authentication and PowerShell remoting enables this using CredSSP.

How do we delegate credentials?

The cmdlets to create a remoting session — Invoke-Command, Enter-PSSession and New-PSSession — have a parameter to specify the authentication method as CredSSP. However, before we use this parameter, we need to enable credSSP on the computers participating in multi-hop authentication. Also, when enabling CredSSP, we need to specify the role — client or server — of a computer. A client is the computer from which the remoting session is initiated and server is the computer from which the multi-hop authentication is triggered. So, from the above example, we need to enable  CredSSP authentication on computer A and computer B.

PowerShell 2.0 has Enable-WSManCredSSP, Disable-WSManCredSSP and Get-WSMANCredSSP cmdlets to manage CredSSP authentication

Let us now look at how we enable WSManCredSSP and specify client / server roles. First, let us enable CredSSP on computer A.

Note: You need to run these cmdlets in an elevated prompt.


As shown here, you can use Enable-WSManCredSSP cmdlet to enable CredSSP authentication and specify the computer role as client. When the computer role is defined as a client, you can also specify the DelegateComputer parameter to specify the server or servers that receive the delegated credentials from the client. The delegateComputer accepts wildcards as shown above. You can also specify “*” to specify all computers in the network.

When Enable-WSManCredSSP cmdlet is used to enable CredSSP on the client by specifying client in the role parameter. The cmdlet then performs the following:

  • The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.
  • Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

Now, we will enable CredSSP on computer B and deginate that as server.

The above cmdlet enables CredSSP on computer B and sets the WS-Management setting <localhost|computername>\Service\Auth\CredSSP is to true. Now, we can use Invoke-Command to run the script block as shown at the beginning of this post. However, we will specify the authentication method as CredSSP and pass the credentials.

CredSSP Authentication CredSSP Authentication

As you see here,  we see the output from Create() method which shows the details of the newly created file.

Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

You can use Disable-WSManCredSSP to disable CredSSP authentication on a client or a server computer.

You can use Get-WSManCredSSP cmdlet to verify if a computer has CredSSP enabled and also the role (client/server).

This is it for now. We will look at few more aspects of PowerShell remoting in the next part of this series. Stay tuned..!

Filed under: PowerShell, Remoting, Scripting
Tagged with: ,

by

Ravikanth is a principal engineer and the lead architect for Microsoft and VMware virtualized and hybrid cloud solutions within the Infrastructure Solutions Group at Dell EMC. He is a multi-year recipient of Microsoft Most Valuable Professional (MVP) award in Windows PowerShell (CDM) and Microsoft Azure. Ravikanth is the author of Windows PowerShell Desired State Configuration Revealed (Apress) and leads Bangalore PowerShell and Bangalore IT Pro user groups. He can be seen speaking regularly at local user group events and conferences in India and abroad.

  • Pingback: Convert DCs to RODCs in bulk using PowerShell (Part 2 of 3) « jfrmilner's Tech Blog()

  • Thanks again for this post it certainly helped me understand the concept of using CredSSP. I have posted a blog about using CredSSP to DCPROMO a bunch of servers in bulk using PowerShell Remoting please take a look http://wp.me/pFqJZ-1Y
    Regards, jfrmilner

  • Glad this post was helpful and thanks for sharing your blog content

  • Pingback: Test-WSManCredSSP: Check if a remote computer has WSMan CredSSP enabled()

  • Karl Prosser

    Nice

  • Thanks Karl

  • Pingback: Powershell Remoting Part 3: CredSSP « I Think In Code()

  • Keith

    Excellent! I am very new to Powershell (and programming in general) and I ran into this exact scenario today. Clear, concise, and well written. This has solved my problem. Thank you.

  • Thanks! Glad you liked this article.

  • Kalyan

    excellent work! although I have small question from the caution you have given above for “Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.”……is there a safer alternative to this?

  • Boriskey

    awesome articles and book, Ravikanth! you saved me many hours of work. I think this post will compliment your article for people who wants to reuse passwords in automated process http://blogs.technet.com/b/robcost/archive/2008/05/01/powershell-tip-storing-and-using-password-credentials.aspx

  • Thanks for sharing. Agree with you on the technet link. But, you have to be careful using that method. If someone gets hold of the file, they can use decryption to retrieve the password.

  • I don’t think there is. This is not a PowerShell issue though. This is how WinRM works or for that matter any remoting scenario.

  • Pingback: PowerShell : How to overcome double-hop problem in PowerShell remoting | Ideas For Free()

  • Pingback: PowerShell : How to overcome double-hop problem in PowerShell remoting | Ideas For Free()

  • Great article. Do you know if there is a way to bypass the confirmation prompt for automation purposes?

  • For most of the Enable-* cmdlets, PowerShell provides a -Force Switch. This is meant for silent action.

  • Pingback: Configure SharePoint Servers from your Win7 Desktop with PowerShell Remoting « Jimblog()

  • Hi Ravi,

    I am using poweshell automation for executing remote command on sharepoint 2010 farm with CredSSP through a .net wcf application. I am getting  following errors:

    The pipeline has been stopped.
    ApplicationPoolAccount is not found.
    Cannot bind argument to parameter ‘OwnerAlias’ because it is null.

    Do you have any clues what’s going on?

  • Not sure Gaurav. I am a complete novice in WCF and C# aspects. Picking up though! 🙂

  • Loic

    thank you for sharing, now I’m able to run a network profile on remote sessions ! cool !

  • kiquenet kiquenet

    Which permissions for execute 
    Get-WSManCredSSP command ? I get error: access denied, when I use PS remoting. My remote user is local Administrator in server.

  • kiquenet kiquenet

    which is your configuration server for powershell remoting and CredSSP ? and your source code and config files for wcf service and ps1 script files ?

  • alex

    This is actually not a trivial matter: Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

    Do you happen to have a script to enable this via command line.

  • javier

    Hello Ravi,

    I have one question.

    I use powershell remoting in order to deploy sharepoint solutions.
    When i use one machine (sharepoint + sql server) all works fine.
    When i use two machines, sharepoint machine and sql server machine, the remote commands fails, even if i only use commands like get-spsite from the powershell console of the remote machine.

    i don´t know if the things that you comment in your post is valid for sharepoint, or only for one machine that use resources from other machine like files.

    is it necessary for sharpoint when i have two machines like in my environment?

    regards

  • Javier

    I answer myself, yes, In a Sharepoint environment with 2 machines if you access via powershell remote to the front end machine and try to execute any comand like get-spsite, it´s necessary the activation of multi-hop

  • Hi Javier, you are right. You got to enable CredSSP on SharePoint WFE servers to forward the credentials to DB servers.

  • Pingback: Despliegue de aplicaciones Sharepoint 2010 desde un cliente con escenario simple y con Multi-Hop utilizando PowerShell Remoting (PSRemoting) | Javier Valero González()

  • Pingback: Granular access via PowerShell Remoting | rambling cookie monster()

  • Pingback: AutomatedLab Introduction - Part 1 - Coding from the field - Site Home - TechNet Blogs()

  • Pingback: AutomatedLab Tutorial Part 1: Introduction to AutomatedLab - Hey, Scripting Guy! Blog - Site Home - TechNet Blogs()

  • Tom Salciccia

    Ravi – this is quite helpful. You may want to discuss the GPO setting “Computer Configuration –> Administrative Templates –> System –> Credential Delegation”.

    One thing that I was wondering is if there is a way to run both the server and client commands in a script so that they do not require user interaction. Is there a way to run these silently with the “y” embedded.

    That way I can put into a GPO script and apply to all machines.

    Thanks.

  • Daniel Hart

    Help! The following “enable-wsmancredssp -role client -force -delegatecomputer *.ds.local” results in “setting cannot be enabled”. get-wsmancredssp indicates machine is configured to allow delegating fresh credentials to WSMAN/dmz-wfe02,WSMAN/dmz-wfe01. On the other server (dmz-wfe02), get-wsmancredssp indicates “not configured to allow delegating fresh credentials….configured to receive credentials.

  • Jagadish

    Hi Ravi,

    How to overcome this problem in 2003 server where we can’t enable CredSSP

  • Srinivas Kakani

    usefull info, and it works. Thanks Ravi

  • Pingback: Using RoboCopy inside of Invoke-Command -Powershell Multihop Problems – HitBits.net()