powershell - Getting access denied while running invoke command ,kerberos dula hop delegation authentication error

Question

Hi I am getting below access denied error while accessing file remotely even though I have access to shared location .Kerberos credential delegation is enabled

PS C:Users> $uname = "abracsvc-igniopro-connect"
$password = "P@er***" | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $uname,$password
Invoke-Command -ComputerName EABP01IGCHEA01 -Credential $cred -ScriptBlock {Get-Content "\Ebrfile01csITINFRA IGNIO SOXvdi NS list 1.csv"}
Access is denied
    + CategoryInfo          : PermissionDenied: (\Ebrfile01cs...i NS list 1.csv:String) [Get-Content], UnauthorizedAccessExceptio 
   n
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
    + PSComputerName        : EABP01IGCHEA01
 
Cannot find path '\Ebrfile01csITINFRA IGNIO SOXvdi NS list 1.csv' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\Ebrfile01cs...i NS list 1.csv:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
    + PSComputerName        : EABP01IGCHEA01

question from:https://stackoverflow.com/questions/65924166/getting-access-denied-while-running-invoke-command-kerberos-dula-hop-delegation

Answer 1

You have to enable CredSSP (see: Enable-WSManCredSSP) on both the client and server (necessary for this double hop authentication).

First enable on your client to server direction by running this on your machine:

Enable-WSManCredSSP -Role "Client" -DelegateComputer "EABP01IGCHEA01"

Then on your server EABP01IGCHEA01, enable the Server role so that it can act as a delegate:

Enable-WSManCredSSP -Role "Server"

Then you have to explicitly specify the authentication method as CredSSP as it won't connect with it by default:

Invoke-Command -ComputerName EABP01IGCHEA01 -Authentication Credssp -Credential $cred -ScriptBlock {Get-Content "\Ebrfile01csITINFRA IGNIO SOXvdi NS list 1.csv"}

Please note the security implications of enabling CredSSP:

Caution:

CredSSP authentication delegates the user credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.