Second Hop Powershell Remoting where second hop is external server outside domain

Question

I have 3 machines: Machine A: Network: 172.16.x.x Domain Joined : No OS: Server 2016
Machine B: Network: 172.16.x.x Domain Joined : No OS: Server 2016 Machine C: Network: Outside Network Domain Joined : n/a

I need to invoke a PowerShell custom function on Machine C from Machine A . I am able to invoke all the functions from Machine 'A' properly by using the credentials which are authorized on Machine 'B' except one unique function. That function invokes an HTTP request to Machine 'C' using different set of credentials. These credentials are not a domain user credentials as Machine 'C' is an outside the network/non domain joined machine. When I send the invoke-command from Machine B to Machine C it works fine I am able to send any command from Machine A to Machine B - its working fine When I send command from Machine A to Machine C by invoking the already tested function on Machine B, i.e. Machine B is the middle man. I get delegation trust error. I am not able to understand why I am getting Credential delegation error as I am importing the credential within the function on Machine 'B'. This design was working fine for few months and its broken now and I am not able to understand the cause of it. I cannot send command directly to Machine C from Machine A, as machine A is just a dumb machine which is just used to forward the commands to different machines based on the requirement. This failing function is the only function which is importing the credentials within the function. All the other function which does not require external credentials works fine. Please let me know if anyone has ideas on how to make this design work again. Thanks in advance So, in nutshell, the second hop is an external machine.

Answer 1

and the script is failing on the line below, when trying to import the password within a function on Machine B $credential=Import-Clixml -Path F:\PathToXML

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/import-clixml?view=powershell-5.1 The Export-Clixml cmdlet encrypts credential objects by using the Windows Data Protection API. The encryption ensures that only your user account can decrypt the contents of the credential object. The exported CLIXML file can't be used on a different computer or by a different user.

Answer 2

Hello there, There are several ways to address this problem. You can use the Credential Security Support Provider (CredSSP) for authentication. CredSSP caches credentials on the remote server (ServerB), so using it opens you up to credential theft attacks. If the remote computer is compromised, the attacker has access to the user's credentials. CredSSP is disabled by default on both client and server computers. You should enable CredSSP only in the most trusted environments. For example, a domain administrator connecting to a domain controller because the domain controller is highly trusted. https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3 Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--