PowerShell 2.0 remoting guide: Part 12 – Using CredSSP for multi-hop authentication

I’ve published a free book on PowerShell 2.0 remoting. You can download it at:
In this part of the remoting series, we look at how CredSSP can be used for multi-hop authentication in PowerShell remoting. CredSSP and multi-hop support are not features of PowerShell 2.0 or PowerShell remoting, per se. Credential Security Service Provider (CredSSP) is a new security service provider that enables an application to delegate the user’s credentials from the client to the target server. Multi-hop support in Windows Remote Management uses CredSSP for authentication. Since PowerShell 2.0 remoting is built on top of WinRM, we can use CredSSP to perform multi-hop authentication.

So, what is multi-hop authentication?

Well, let us look at an example to understand what is multi-hop authentication. Imagine a group of computers as shown here and you establish a remoting session from computer A (client) to computer B (server) and then from computer B, you try to create a file in a file share on computer C.

CredSSP example CredSSP example

Now, within the remoting session to computer B, we want to execute a command — as below — to create test.txt on computer C.

Invoke-Command -ComputerName Test-PC.SP2010lab.com -credential SP2010LAB\Administrator -ScriptBlock {[System.IO.File]::Create(\\FileServer\Share\Test.txt)}

Error without CredSSP Error without CredSSP

This command results in an “Access Denied” error as shown above. This command fails since the remote session tries to access the file share using the machine credentilas instead of the credentials used to invoke the remote session. We could have successfully created the text file if there was a way to pass or delegate credentials from the client so that we can authenticate to the file share. This is what is called multi-hop authentication and PowerShell remoting enables this using CredSSP.

How do we delegate credentials?

The cmdlets to create a remoting session — Invoke-Command, Enter-PSSession and New-PSSession – have a parameter to specify the authentication method as CredSSP. However, before we use this parameter, we need to enable credSSP on the computers participating in multi-hop authentication. Also, when enabling CredSSP, we need to specify the role — client or server — of a computer. A client is the computer from which the remoting session is initiated and server is the computer from which the multi-hop authentication is triggered. So, from the above example, we need to enable  CredSSP authentication on computer A and computer B.

PowerShell 2.0 has Enable-WSManCredSSP, Disable-WSManCredSSP and Get-WSMANCredSSP cmdlets to manage CredSSP authentication

Let us now look at how we enable WSManCredSSP and specify client / server roles. First, let us enable CredSSP on computer A.

Note: You need to run these cmdlets in an elevated prompt.

Enable-WSManCredSSP -Role Client -DelegateComputer "*.SP2010lab.com"

As shown here, you can use Enable-WSManCredSSP cmdlet to enable CredSSP authentication and specify the computer role as client. When the computer role is defined as a client, you can also specify the DelegateComputer parameter to specify the server or servers that receive the delegated credentials from the client. The delegateComputer accepts wildcards as shown above. You can also specify “*” to specify all computers in the network.

When Enable-WSManCredSSP cmdlet is used to enable CredSSP on the client by specifying client in the role parameter. The cmdlet then performs the following:

  • The WS-Management setting <localhost|computername>\Client\Auth\CredSSP is set to true.
  • Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

Now, we will enable CredSSP on computer B and deginate that as server.

Enable-WSManCredSSP -Role Server

The above cmdlet enables CredSSP on computer B and sets the WS-Management setting <localhost|computername>\Service\Auth\CredSSP is to true. Now, we can use Invoke-Command to run the script block as shown at the beginning of this post. However, we will specify the authentication method as CredSSP and pass the credentials.

Invoke-Command -ComputerName test-pc.SP2010lab.com -Credential SP2010Lab\Administrator -Authentication CredSSP -ScriptBlock {[System.IO.File]::Create(\\FileServer\Share\Test.txt)}
CredSSP Authentication CredSSP Authentication

As you see here,  we see the output from Create() method which shows the details of the newly created file.

Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

You can use Disable-WSManCredSSP to disable CredSSP authentication on a client or a server computer.

Disable-WSManCredSSP -Role Client            

Disable-WSManCredSSP -Role Server

You can use Get-WSManCredSSP cmdlet to verify if a computer has CredSSP enabled and also the role (client/server).

This is it for now. We will look at few more aspects of PowerShell remoting in the next part of this series. Stay tuned..!

  • Pingback: Convert DCs to RODCs in bulk using PowerShell (Part 2 of 3) « jfrmilner's Tech Blog

  • http://jfrmilner.wordpress.com jfrmilner

    Thanks again for this post it certainly helped me understand the concept of using CredSSP. I have posted a blog about using CredSSP to DCPROMO a bunch of servers in bulk using PowerShell Remoting please take a look http://wp.me/pFqJZ-1Y
    Regards, jfrmilner

  • http://www.ravichaganti.com ravikanthchaganti

    Glad this post was helpful and thanks for sharing your blog content

  • Pingback: Test-WSManCredSSP: Check if a remote computer has WSMan CredSSP enabled

  • Karl Prosser

    Nice

  • http://www.ravichaganti.com/blog Ravikanth

    Thanks Karl

  • Pingback: Powershell Remoting Part 3: CredSSP « I Think In Code

  • Keith

    Excellent! I am very new to Powershell (and programming in general) and I ran into this exact scenario today. Clear, concise, and well written. This has solved my problem. Thank you.

  • http://www.ravichaganti.com/blog Ravikanth

    Thanks! Glad you liked this article.

  • Kalyan

    excellent work! although I have small question from the caution you have given above for “Caution: CredSSP authentication delegates the user’s credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.”……is there a safer alternative to this?

  • Boriskey

    awesome articles and book, Ravikanth! you saved me many hours of work. I think this post will compliment your article for people who wants to reuse passwords in automated process http://blogs.technet.com/b/robcost/archive/2008/05/01/powershell-tip-storing-and-using-password-credentials.aspx

  • http://www.ravichaganti.com/blog Ravikanth

    Thanks for sharing. Agree with you on the technet link. But, you have to be careful using that method. If someone gets hold of the file, they can use decryption to retrieve the password.

  • http://www.ravichaganti.com/blog Ravikanth

    I don’t think there is. This is not a PowerShell issue though. This is how WinRM works or for that matter any remoting scenario.

  • Pingback: PowerShell : How to overcome double-hop problem in PowerShell remoting | Ideas For Free

  • Pingback: PowerShell : How to overcome double-hop problem in PowerShell remoting | Ideas For Free

  • https://www.google.com/accounts/o8/id?id=AItOawkiR0VjPBeG6JCelB5_ypukknsnsiP8thc Jose A. Hernandez

    Great article. Do you know if there is a way to bypass the confirmation prompt for automation purposes?

  • http://www.ravichaganti.com/blog Ravikanth

    For most of the Enable-* cmdlets, PowerShell provides a -Force Switch. This is meant for silent action.

  • Pingback: Configure SharePoint Servers from your Win7 Desktop with PowerShell Remoting « Jimblog

  • http://www.facebook.com/gnoberoi Gaurav Oberoi

    Hi Ravi,

    I am using poweshell automation for executing remote command on sharepoint 2010 farm with CredSSP through a .net wcf application. I am getting  following errors:

    The pipeline has been stopped.
    ApplicationPoolAccount is not found.
    Cannot bind argument to parameter ‘OwnerAlias’ because it is null.

    Do you have any clues what’s going on?

  • http://www.ravichaganti.com/blog Ravikanth

    Not sure Gaurav. I am a complete novice in WCF and C# aspects. Picking up though! :)

  • Loic

    thank you for sharing, now I’m able to run a network profile on remote sessions ! cool !

  • kiquenet kiquenet

    Which permissions for execute 
    Get-WSManCredSSP command ? I get error: access denied, when I use PS remoting. My remote user is local Administrator in server.

  • kiquenet kiquenet

    which is your configuration server for powershell remoting and CredSSP ? and your source code and config files for wcf service and ps1 script files ?

  • alex

    This is actually not a trivial matter: Sets the Windows CredSSP policy AllowFreshCredentials to WSMan/Delegate on the client.

    Do you happen to have a script to enable this via command line.

  • javier

    Hello Ravi,

    I have one question.

    I use powershell remoting in order to deploy sharepoint solutions.
    When i use one machine (sharepoint + sql server) all works fine.
    When i use two machines, sharepoint machine and sql server machine, the remote commands fails, even if i only use commands like get-spsite from the powershell console of the remote machine.

    i don´t know if the things that you comment in your post is valid for sharepoint, or only for one machine that use resources from other machine like files.

    is it necessary for sharpoint when i have two machines like in my environment?

    regards

  • Javier

    I answer myself, yes, In a Sharepoint environment with 2 machines if you access via powershell remote to the front end machine and try to execute any comand like get-spsite, it´s necessary the activation of multi-hop

  • http://www.ravichaganti.com/blog Ravikanth

    Hi Javier, you are right. You got to enable CredSSP on SharePoint WFE servers to forward the credentials to DB servers.

  • Pingback: Despliegue de aplicaciones Sharepoint 2010 desde un cliente con escenario simple y con Multi-Hop utilizando PowerShell Remoting (PSRemoting) | Javier Valero González

  • Pingback: Granular access via PowerShell Remoting | rambling cookie monster

  • Pingback: AutomatedLab Introduction - Part 1 - Coding from the field - Site Home - TechNet Blogs