Kerberos double hoping
Overview
Kerberos double hopping can be an issue with PowerShell remoting in Windows domains, especially when using remote sessions to access resources on multiple servers.
When using PowerShell remoting, a user's credentials are passed from their computer to the remote server to authenticate the remote session. However, if the user's computer is not configured to allow delegation of credentials, the Kerberos ticket used to authenticate the remote session will only be valid for the remote server, and not for any other servers that the user may access during the session.
This means that if the user attempts to access a resource on a third server during the remote session, their computer will need to request a new Kerberos ticket for that server, and this can result in a double hopping scenario if the user's computer is not configured for delegation of credentials.
Examples to bypass
Set up new PowerShell session configurations
In this example, we will work on server named SRV01 and create a new session configuration on this machine using Register-PSSessionConfiguration cmdlet. This command creates a new session configuration on the remote computer, when connected, forces it to always run with the credentials provided.
We will need to specify the configuration to use when running our commands.
Automatically invoke the configuration name.
To automatically invoke the configuration name and avoiding for us to retype it everytime we can use the $PSDefaultParameterValues env variable.
Deleting the session configuration
To clean up you can delete the session configuration.
References
Last updated
