Double hop access to copy files without CredSSP

Question:

hello,

We have large environment with hundreds of virtual machines. During our services deployment we need to copy some files from build drop to all these machines.

So, we have:

  • User machine, where deployment scripts executing
  • Build drop machine, where files are
  • Target machine

Powershell is used as script language. Something like:

This approach leads to double hop issue, which I’m not able to solve due to CredSSP feature is not supported on XP and 2k3 machines. And copy invoked on user machine leads to performance bottle neck (data travels through user machine).

Is there any way to make build drop always visible from all target machines?
May be somehow add them to trusted location or something like this?

Thanks in advance!

Answer:

I found solution which works in our environment.

It is not possible to transfer credentials through double hop without Cred-SSP, but you can run something on target machine without first hop.

The simplest way is to use psexec with -s flag (run remote process in the System account), final string was something like this:

Also you can start some PS script in same way, just ensure that script execution is allowed on remote machine:

Check this article, to understand how psexec works.
While service on someHost

Source:

Double hop access to copy files without CredSSP by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply