Kerberos “Second Hop” Problem

Issue

Sometimes, there’s a need to run WinRM into a “Jump Box” (trusted host in the domain) to run commands from that machine. What would happen if those commands are to issue executions to other machines (2nd hops)? By default this error would be raised:

# Error caused by Kerberos “second hop” problem: 1st hope is the invoke, 2nd hop is the connection to target server

ERROR: Access is denied.
+ CategoryInfo : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : localhost

NotSpecified: (:) [], RemoteException

Resolution

This prohibition is by design. Imagine a Windows domain where one can hop from one host to the next without any traces. That would be very insecure. To selectively enable the ability for 2nd hops, there are a few alternatives:

1. The permanent solution is to configure Constrained Delegations on Windows Server 2012 or new (https://www.itprotoday.com/windows-server/how-windows-server-2012-eases-pain-kerberos-constrained-delegation-part-1)

2. Credential Security Service Provider (CredSSP) protocol

Run this command on JUMPBOX01 to delegate CredSSP to DC01

JUMPBOX01 #> Enable-WSManCredSSPRole ClientDelegateComputer dc01.kimconnect.com -Force

Run this command on DC01 to enable the CredSSP role

Enable-WSManCredSSPRole Server -Force

Enter-PSSession from the JumpBox01 with as Zero Hop

# Credentials section
$username= "KIMCONNECT\"+Read-Host -Prompt "Input the username"
$password = Read-Host -Prompt "Input the password for account $username" -AsSecureString
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password

# Authenticate to the CredSSP server
$elevate = Enter-PSSession
ComputerName DC01.kimconnect.com -Credential $credAuthentication CredSSP

This is effective in elevating the current shell privilege level, without running into the constraint of not being able to run commands on 2nd hop target machines. Hence, this elevated session can be issued such as:

# Elevate PowerShell Session to collect Scheduled Tasks information from a target server
Invoke-Command -session $elevate -ScriptBlock{
$target="webserver01"
schtasks.exe /query /s $target /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName"}
}

Leave a Reply

Your email address will not be published. Required fields are marked *