Kerberos “Second Hop” Problem

Issue

Sometimes, there’s a need to run WinRM into a “Jump Box” (trusted host in the domain) to run commands from that machine. What would happen if those commands are to issue executions to other machines (2nd hops)? By default this error would be raised:

# Error caused by Kerberos “second hop” problem: 1st hope is the invoke, 2nd hop is the connection to target server

ERROR: Access is denied.
+ CategoryInfo          : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName        : localhost
 
NotSpecified: (:) [], RemoteException

---

Resolution

This prohibition is by design. Imagine a Windows domain where one can hop from one host to the next without any traces. That would be very insecure. To selectively enable the ability for 2nd hops, there are a few alternatives:

1. The permanent solution is to configure Constrained Delegations on Windows Server 2012 or new https://www.itprotoday.com/operating-systems/windows-server

2. Credential Security Service Provider (CredSSP) protocol

Run this command on JUMPBOX01 to delegate CredSSP to DC01

JUMPBOX01 #> Enable-WSManCredSSP –Role Client –DelegateComputer dc01.kimconnect.com -Force

Run this command on DC01 to enable the CredSSP role

Enable-WSManCredSSP –Role Server -Force

Enter-PSSession from the JumpBox01 with as Zero Hop

# Credentials section
$username= "KIMCONNECT\"+Read-Host -Prompt "Input the username"
$password = Read-Host -Prompt "Input the password for account $username" -AsSecureString
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password

# Authenticate to the CredSSP server
$elevate = Enter-PSSession –ComputerName DC01.kimconnect.com -Credential $cred –Authentication CredSSP

This is effective in elevating the current shell privilege level, without running into the constraint of not being able to run commands on 2nd hop target machines. Hence, this elevated session can be issued such as:

# Elevate PowerShell Session to collect Scheduled Tasks information from a target server
Invoke-Command -session $elevate -ScriptBlock{
$target="webserver01"
schtasks.exe /query /s $target /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName"}
}