Login/Register
WinRM - Second Hop without CredSSP
Asked Answered
c#powershellkerberosdelegationwinrm
C

0

6

I would like to ask if it is possible to impersonate at "second hop" at WinRM service using only Kerberos (delegation)?

CredSSP is no solution for me because I cannot prompt user password .. I'm using Windows 2008 R2, C#, .NET 4.0 ...

Scenario: I have client/server application (client is using ODBC driver to communicate with Server). The client grabs current user Windows credentials and pass to the server. The server creates the thread and impersonate caller. From this impersonated thread I'm trying to call remote WinRM service (PowerShell) using Kerberos authentication but it always fails with:

System.Management.Automation.Remoting.PSRemotingTransportException: Processing data from remote server failed with the following error message: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

So it looks like the caller has no permission ..

If I debug the difference is in ImpersonationLevel property (None vs. Delegation) of current principal.

  • If I run same code from console application it works
  • My client and server are on the same machine now

Thanks for any advice

Cymogene answered 20/3, 2013 at 9:36 Comment(5)
Can you store the password in a file? Obviously it's not the safest solution, but that way you can use CredSSP and automate your script without the need to user inputMorgun
If you're always connecting to the same endpoint, you can make that endpoint a custom/constrained Powershell session that runs under delegated permissions.Petta
No I cannot store passwords because I do not have it. I am taking credentials of logged users.Cymogene
Is the user currently logged on that you try to impersonate? In that case you could create an interactive scheduled task for the user. That might have access to the users access token...Seafaring
Have your read this article about double hop from MS? MS Learn - Making the second hop in PowerShell RemotingSeafaring

© 2022 - 2024 — McMap. All rights reserved.