In a previous tip we illustrated the double hop problem that can occur in remoting when your remote code tries to authenticate against a third party.
You can allow passing on your credentials when you establish a trust between client and server (which needs to be done only once and requires Administrator privileges).
On the client, run this:
Enable-WSManCredSSP -Role Client -DelegateComputer nameOfServer
And on the server, execute this:
Enable-WSManCredSSP -Role Server
When you now send PowerShell code from the client to the server and execute it, the server is authorized to pass on your credentials to third parties, so the remote code would be able to authenticate against a file server and access its shared folder:
#requires -Version 3.0
Get-ChildItem -Path \\fls01\#TRAIN1\PowerShell\Class
Invoke-Command -Authentication Credssp -ScriptBlock $code -ComputerName nameOfServer -Credential myCompany\myName
Note that when you use the CredSSP authentication, you must submit explicit credentials (using -Credential) and can no longer transparently pass your current identity via Kerberos.
ReTweet this Tip!
Powered by IDERA