Enabling Multihop Remoting

Doctor Scripto

Summary: Microsoft PowerShell MVPs, Don Jones and Jeffery Hicks, discuss how to enable multihop remoting in Windows PowerShell 3.0.

Microsoft Scripting Guy, Ed Wilson, is here. Tonight is our Windows PowerShell User Group meeting in Charlotte, NC, I will be making a presentation about using Windows 8 to perform remote management, We will also be doing a Lync meeting with the Philadelphia User Group at the same time. Click the following link to join us online from 7:00 – 8:00 P.M. Eastern Standard Time: Charlotte Windows PowerShell User Group meeting.

This week we will not have our usual PowerTip. Instead we have excerpts from seven books from Manning Press. In addition, each blog will have a special code for 50% off the book being excerpted that day. Remember that the code is valid only for the day the excerpt is posted. The coupon code is also valid for a second book from the Manning collection.

Today, the excerpt is from Learn Windows PowerShell 3 in a Month of Lunches, Second Edition
  By Don Jones and Jeffery Hicks

Photo of book cover

When you’re remoting into a computer, don’t run Enter-PSSession from that computer unless you fully understand what you’re doing. Let’s say you work on Computer A, which runs Windows 7, and you remote into Server-R2. At the Windows PowerShell prompt, you run this:

[server-r2] PS C:\>enter-pssession server-dc4

Server-R2 is maintaining an open connection to Server-DC4, which can start to create a “remoting chain” that’s hard to keep track of, and which imposes unnecessary overhead on your servers. You may have times when you might have to do this—mainly of instances where a computer like Server-DC4 sits behind a firewall and you can’t access it directly, so you use Server-R2 as a middleman to hop over to Server-DC4. But, as a general rule, try to avoid remote chaining.

Some people refer to “remote chaining” as “the second hop,” and it’s a major Windows PowerShell “gotcha.” We offer a hint: if the Windows PowerShell prompt is displaying a computer name, you’re done. You can’t issue any more remote control commands until you exit that session and “come back” to your computer.

The following drawing depicts the second hop or “multihop” problem: You start on Computer A, and you create a PSSession connection to Computer B. That’s the first hop, and it’ll probably work fine. But, then you try to ask Computer B to create a second hop (or connection) to Computer C—and the operation fails.

Image of setup

The problem is related to the way Windows PowerShell delegates your credentials from Computer A to Computer B. Delegation is the process of enabling Computer B to execute tasks as if it were you, thus ensuring that you can do anything you’d normally have permissions to do—but nothing more. By default, delegation can only traverse one such “hop”—Computer B doesn’t have permission to delegate your credentials to a third computer, Computer C.

In Windows Vista, Windows 7, and Windows 8, you can enable this multihop delegation. Two steps are needed:

  1. On your computer (Computer A in the example), run Enable-WSManCredSSP –Role Client –DelegateComputer x. You’ll replace x with the name of the computer where your credentials may be delegated. You could specify an individual computer name, but you might also use wildcard characters. We don’t recommend using * because that presents some real security concerns, but you might authorize an entire domain, for example: *.company.com.
  2. On the server that you’re connecting to first (Computer B in the example), run Enable-WSManCredSSP –Role Server.

The changes made by the command will be applied to the computers’ local security policies; you could also manually make these changes via a Group Policy Object, which might make more sense in a large domain environment. Managing this via Group Policy is beyond the scope of this blog, but you can find more information in the Help for Enable-WSManCredSSP. Don also authored a Secrets of PowerShell Remoting Guide that covers the policy-related elements in more detail.

Here is the code for the discount offer today at www.manning.com: scriptw4
Valid for 50% off Learn Windows PowerShell 3 in a Month of Lunches, Second Edition and Learn Windows IIS in a Month of Lunches
Offer valid from April 4, 2013 12:01 AM until April 5 midnight (EST)

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

1 comment

Discussion is closed. Login to edit/delete existing comments.

  • surya teja 0

    Hi,  I am facing similar case executing the windows dhcp-failover relation command between server B and server c remotely from serverA using command  Add-DhcpServerv4Failover -ComputerName “dhcpserver.contoso.com” -Name “SFO-SIN-Failover” -PartnerServer -ScopeId, -LoadBalancePercent 70 -MaxClientLeadTime 2:00:00 -AutoStateTransition $True -StateSwitchInterval 2:00:00 which internally communicates serverC for cross check already relation exists or not but here i am getting PermissionDenied issue tried above steps Enabling windowscredssp and seond step on serverB ,so we need any other step be covered.I have raised thread in microsoft forum refernce link:https://social.technet.microsoft.com/Forums/en-US/4d47f727-50ad-4f36-8f78-d943097e3ced/unable-to-add-dhcp-failover-peer-relation-from-remote-server?forum=winserverpowershell  
    PS C:\Users\Administrator> Invoke-Command -ComputerName -Credential $cred -ScriptBlock {Add-DhcpServerv4Fa
    ilover  -Name “microsoft” -PartnerServer  “” -ScopeId -LoadBalancePercent “50”  -MaxClientLeadTime
     0:0:30 -AutoStateTransition $True  -StateSwitchInterval 0:0:0:2 -SharedSecret “abc123”  -Force }
    Failed to verify if a failover relationship by the name microsoft exists on server
        + CategoryInfo          : PermissionDenied: (microsoft:root/Microsoft/…erverv4Failover) [Add-DhcpServerv4Failove
       r], CimException
     here i am executing the above comand on server A  to define failover for,

Feedback usabilla icon