PowerShell Double Hop Issue

Question

I’m trying to run a PowerShell script on SYSTEM1, which executes robocopy on SYSTEM2, copying files to SYSTEM3,4,5,etc.

SYSTEM1 and SYSTEM2 are on the same domain, but SYSTEM2 is not behind a firewall (hence the need to run robocopy from SYSTEM2 and not SYSTEM1).

SYSTEM3,4,5 are on different domains than SYSTEM2, as well as different domains than each other.

I set the script up like this (it uses the net use command to prompt the user for credentials for the different domains):

Foreach($server in $servers) {
        $command = {
            param($cred, $server);
            $error.clear();

            # Stored credentials in local variables
            $user = $cred.GetNetworkCredential().username
            $pass = $cred.GetNetworkCredential().password

            #establish connection from SYSTEM2-> $server
            net use \\$server\c$\Deployments /delete
            net use \\$server\c$\Deployments /USER:$user $pass

            # Check to see if C:\Deployments exists on server, and if not create it.
            if ((Test-Path \\$server\c$\Deployments) -eq $FALSE) {
                $c = {
                    New-Item \\$server\c$\Deployments -type directory
                }

                $ws = Invoke-Command -ComputerName $server -Credential $cred -ScriptBlock $c
            }

            # Copy over the deployment packages
            $dest = "\\$server\Deployments\$DeploymentDate\$CurrentDirectoryName"
            robocopy $CurrentDirectoryPath $dest  /W:20 /R:15 /e /XF CopyPackage.ps1

            # Delete connection from SYSTEM2 -> $server
            net use \\$server\c$\Deployments /delete

However, the net use command returns an error after the credentials are entered:

The network connection could not be found.
    + CategoryInfo          : NotSpecified: (The network con...d not be found.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

More help is available by typing NET HELPMSG 2250.
System error 55 has occurred.
    + CategoryInfo          : NotSpecified: (System error 55 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

The specified network resource or device is no longer available.
[SYSTEM3] Connecting to remote server failed with the following error message : WinRM cannot process the request. The
following error occured while using Kerberos authentication: There are currently no logon servers available to service
the logon request.
Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
    + FullyQualifiedErrorId : PSSessionStateBroken
    + PSComputerName        : SYSTEM2
The network connection could not be found.
    + CategoryInfo          : NotSpecified: (The network con...d not be found.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
    + PSComputerName        : SYSTEM2

More help is available by typing NET HELPMSG 2250.

I’ve read this could be a “double-hop” issue (as detailed here), but I’m not sure how to edit the script to use CredSSP instead of Kerberos (or if this is even the problem).

Any ideas?

Answer 1

Posting this solution in case someone is still having an issue with a simple resolution to DoubleHop without using CredSSP.

Try this out: https://www.powershellgallery.com/packages/Invoke-PSSession

It Invokes a PSSession, then Registers a PSSessionConfiguration with the Credentials that you provided. Basically providing the credentials for that DoubleHop

Then use Invoke-Command with that new PSSession. It should have the required privileges to do what you need.