0

I've asked the Microsoft Developer Community this question but I haven't had much success.

I am trying to create some automation tests with a vNext Build Definition in which the build agent RemotePSSession into a non-domain virtual machine (the test machine) and runs a batch file that can take several arguments. This batch file may read (installer files) or write (reports) to a network share that is on the domain. The issue that I am coming across is the second hop issue. Here is an article about it: https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/

In my instance, the PowerShell Remote Session is not able to pass the credentials we have authenticated previously in the test machine to access the network share’s resources. We have tried using CredSSP authentication on both the agent and the test machine to enable access but that has failed. The Net Use and other commands which call domain resources have also failed. We’ve even tried modifying the custom task PowerShell on Target Machines task and did not have much luck with it.

From what we have discovered is that there is no way to access the domain network shares with RemotePSSession with the following topology: Server A (which is in the domain or workgroup) ⇒ RemotePSSession + CredSSP into Server B (which is non-domain), using a local admin Server B account ⇒ Calls the network shares, with Net Use using some domain account.

It seems that the second hop only works for domain-joined machines (we have been testing it CredSSP using as well).

Let us know if there is a solution or workaround that we can implement.

Their response was >> If you can make sure the method is correct and the issue is caused by DevOps, we will be happy to help you with your issues about DevOps. Here are some documents might be helpful: https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-6.

I've looked at this documentation before and I haven't had much success, does anyone else have any suggestions?

Here is a code snippet: 

#serverA - local machine
#serverB - $remoteServer
#serverC - DFS namespace server

$session = New-PSSession -ComputerName $remoteServer -Credential $credential -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -Authentication Credssp

$scriptBlock_runFile = {
    #Scenario 0 which works:
    #ipconfig

    #Scenario 1 which doesn't work:
    #& dir \\contoso.com\departments\folder"

    #Scenario 2 which doesn't work:
    #& net use x: \\contoso.com\departments\folder /user:CONTOSO\user "password"
}

Invoke-Command -Session $session -ScriptBlock $scriptBlock_runFile
Randy Wong
  • 19
  • 2
  • See if [this answer](https://stackoverflow.com/a/48692809/45375) helps. – mklement0 Oct 25 '19 at 22:45
  • Not sure about the second hop thing, but when you tried `net use`, did you make sure port 445 was open both ways? – Nick Schroeder Oct 26 '19 at 03:57
  • @mklement0, I attempted this implementation and it didn't work. – Randy Wong Nov 20 '19 at 02:14
  • Sorry to hear it, but without further information I won't be able to help. The snippet you just added to your question certainly can't be expected to solve your problem, given that it is missing the solution attempt recommended in the linked answer. – mklement0 Nov 20 '19 at 02:21

0 Answers0