So, what is multi-hop authentication?
Well, let us look at an example to understand what is multi-hop authentication. Imagine a group of computers as shown here and you establish a remoting session from computer A (client) to computer B (server) and then from computer B, you try to create a file in a file share on computer C.
Now, within the remoting session to computer B, we want to execute a command — as below — to create test.txt on computer C.
1 |
<span style="color: #0000ff;">Invoke-Command</span> <span style="color: #000080;">-ComputerName</span> <span style="color: #8a2be2;">Test-PC.SP2010lab.com</span> -credential SP2010LAB\Administrator <span style="color: #000080;">-ScriptBlock</span> <span style="color: #000000;">{</span><span style="color: #008080;">[System.IO.File]</span><span style="color: #a9a9a9;">::</span><span style="color: #000000;">Create</span><span style="color: #000000;">(</span><span style="color: #8b0000;"><a href="file://\\FileServer\Share\Test.txt">\\FileServer\Share\Test.txt</a></span><span style="color: #000000;">)</span><span style="color: #000000;">}</span> |
This command results in an “Access Denied” error as shown above. This command fails since the remote session tries to access the file share using the machine credentilas instead of the credentials used to invoke the remote session. We could have successfully created the text file if there was a way to pass or delegate credentials from the client so that we can authenticate to the file share. This is what is called multi-hop authentication and PowerShell remoting enables this using CredSSP.
How do we delegate credentials?
The cmdlets to create a remoting session — Invoke-Command, Enter-PSSession and New-PSSession — have a parameter to specify the authentication method as CredSSP. However, before we use this parameter, we need to enable credSSP on the computers participating in multi-hop authentication. Also, when enabling CredSSP, we need to specify the role — client or server — of a computer. A client is the computer from which the remoting session is initiated and server is the computer from which the multi-hop authentication is triggered. So, from the above example, we need to enable CredSSP authentication on computer A and computer B.
PowerShell 2.0 has Enable-WSManCredSSP, Disable-WSManCredSSP and Get-WSMANCredSSP cmdlets to manage CredSSP authentication
Let us now look at how we enable WSManCredSSP and specify client / server roles. First, let us enable CredSSP on computer A.
Note: You need to run these cmdlets in an elevated prompt.
1 |
<span style="color: #0000ff;">Enable-WSManCredSSP</span> <span style="color: #000080;">-Role</span> <span style="color: #8a2be2;">Client</span> <span style="color: #000080;">-DelegateComputer</span> <span style="color: #8b0000;">"*.SP2010lab.com"</span> |
As shown here, you can use Enable-WSManCredSSP cmdlet to enable CredSSP authentication and specify the computer role as client. When the computer role is defined as a client, you can also specify the DelegateComputer parameter to specify the server or servers that receive the delegated credentials from the client. The delegateComputer accepts wildcards as shown above. You can also specify “*” to specify all computers in the network.
When Enable-WSManCredSSP cmdlet is used to enable CredSSP on the client by specifying client in the role parameter. The cmdlet then performs the following:
-
The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.
-
Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.
Now, we will enable CredSSP on computer B and deginate that as server.
1 |
<span style="color: #0000ff;">Enable-WSManCredSSP</span> <span style="color: #000080;">-Role</span> <span style="color: #8a2be2;">Server</span> |
The above cmdlet enables CredSSP on computer B and sets the WS-Management setting <localhost|computername>\Service\Auth\CredSSP is to true. Now, we can use Invoke-Command to run the script block as shown at the beginning of this post. However, we will specify the authentication method as CredSSP and pass the credentials.
1 |
<span style="color: #0000ff;">Invoke-Command</span> <span style="color: #000080;">-ComputerName</span> <span style="color: #8a2be2;">test-pc.SP2010lab.com</span> <span style="color: #000080;">-Credential</span> <span style="color: #8a2be2;">SP2010Lab\Administrator</span> <span style="color: #000080;">-Authentication</span> <span style="color: #8a2be2;">CredSSP</span> <span style="color: #000080;">-ScriptBlock</span> <span style="color: #000000;">{</span><span style="color: #008080;">[System.IO.File]</span><span style="color: #a9a9a9;">::</span><span style="color: #000000;">Create</span><span style="color: #000000;">(</span><span style="color: #8b0000;"><a href="file://\\FileServer\Share\Test.txt">\\FileServer\Share\Test.txt</a></span><span style="color: #000000;">)</span><span style="color: #000000;">}</span> |
As you see here, we see the output from Create() method which shows the details of the newly created file.
Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.
You can use Disable-WSManCredSSP to disable CredSSP authentication on a client or a server computer.
1 2 3 |
<span style="color: #0000ff;">Disable-WSManCredSSP</span> <span style="color: #000080;">-Role</span> <span style="color: #8a2be2;">Client</span> <span style="color: #0000ff;">Disable-WSManCredSSP</span> <span style="color: #000080;">-Role</span> <span style="color: #8a2be2;">Server</span> |
You can use Get-WSManCredSSP cmdlet to verify if a computer has CredSSP enabled and also the role (client/server).
This is it for now. We will look at few more aspects of PowerShell remoting in the next part of this series. Stay tuned..!
Pingback: Convert DCs to RODCs in bulk using PowerShell (Part 2 of 3) « jfrmilner's Tech Blog()
Pingback: Test-WSManCredSSP: Check if a remote computer has WSMan CredSSP enabled()
Pingback: Powershell Remoting Part 3: CredSSP « I Think In Code()
Pingback: PowerShell : How to overcome double-hop problem in PowerShell remoting | Ideas For Free()
Pingback: PowerShell : How to overcome double-hop problem in PowerShell remoting | Ideas For Free()
Pingback: Configure SharePoint Servers from your Win7 Desktop with PowerShell Remoting « Jimblog()
Pingback: Despliegue de aplicaciones Sharepoint 2010 desde un cliente con escenario simple y con Multi-Hop utilizando PowerShell Remoting (PSRemoting) | Javier Valero González()
Pingback: Granular access via PowerShell Remoting | rambling cookie monster()
Pingback: AutomatedLab Introduction - Part 1 - Coding from the field - Site Home - TechNet Blogs()
Pingback: AutomatedLab Tutorial Part 1: Introduction to AutomatedLab - Hey, Scripting Guy! Blog - Site Home - TechNet Blogs()
Pingback: Using RoboCopy inside of Invoke-Command -Powershell Multihop Problems – HitBits.net()