Double hop access to copy files without CredSSP

Asked 6/3, 2013 at 8:22 Answered 29/3, 2013 at 11:42

Solved windows powershell windows-xp remoting remote-access

hello,

We have large environment with hundreds of virtual machines. During our services deployment we need to copy some files from build drop to all these machines.

So, we have:

User machine, where deployment scripts executing
Build drop machine, where files are
Target machine

Powershell is used as script language. Something like:

$buildDrop     = "\\sourceMachine\Build"
$machineTarget = "targetMachine"

Invoke-Command -ComputerName $machineTarget -ArgumentList $buildDrop -ScriptBlock {
     Param( $buildDrop )
     Test-Path $buildDrop # Will return False
}

This approach leads to double hop issue, which I'm not able to solve due to CredSSP feature is not supported on XP and 2k3 machines. And copy invoked on user machine leads to performance bottle neck (data travels through user machine).

Is there any way to make build drop always visible from all target machines? May be somehow add them to trusted location or something like this?

Thanks in advance!

Amalle answered 6/3, 2013 at 8:22 Comment(0)

I found solution which works in our environment.

It is not possible to transfer credentials through double hop without Cred-SSP, but you can run something on target machine without first hop.

The simplest way is to use psexec with -s flag (run remote process in the System account), final string was something like this:

psexec \\someHost -s robocopy "\\stagingHost\Staging" "\\someHost\C$\Staging" /MIR

Also you can start some PS script in same way, just ensure that script execution is allowed on remote machine:

psexec \\someHost -s "\\stagingHost\Staging\Script.ps1" SomeArg1 SomeArg2

Check this article, to understand how psexec works. While service on someHost

Amalle answered 29/3, 2013 at 11:42 Comment(1)

+1. Also, the same effect can be achieved by doing this work inside of a scheduled task that you create and run immediately on the target machine. – Quadrant 19/10, 2016 at 22:52

CredSSP is the solution to the double-hop problem.

Remove the user's desktop from the equation. Set up a proper build & deployment server/service/application on your build server and manage everything from there. RedGate has a new product that will probably help you greatly with this, Deployment Manager

Karakorum answered 6/3, 2013 at 13:40 Comment(2)

We have very complex custom solution with hundreds use cases, so we can't move to something else. I believe that there must be solution. User account token can't be translated without CredSSP. Ok. But there must another way. – Amalle 6/3, 2013 at 20:6

I agree. There must be a better solution. I'm trying PowerShell workflows with CredSSP and Restart-Computer stops working when using CredSSP. It is a real shame, that there is no simple solution for that scenario – Dyscrasia 8/7, 2014 at 12:20

If the machine you're using can get to the other machines just copy the files using your machine:

$computers | % {copy '\\servershare\build' "\\$_\c`$\Temp"}
$sb = {C:\Temp\Dosomething.txt args[0]}
$computers | % {Invoke-command -comp $_ -scriptBlock $sb -argumentlist $arg}

Asgard answered 8/3, 2013 at 9:33 Comment(1)

I can copy files from my machine, even without placing them to temporary folder, but in this case data will travel from build drop machine to user machine, and only then to destination. So if user machine placed in another local network it will take hours, when direct copy takes only five minutes. – Amalle 13/3, 2013 at 12:20

Recommended topics

Hot tags