26

I am having trouble accessing a shared network location while within a PowerShell remote session.

From the PowerShell prompt, I enter a new session:

Enter-PSSession server1

The session is properly created and entered. I then attempt to list the contents of the share:

dir \\server2\share1

The response is this error:

Get-ChildItem : Cannot find path '\\server2\share1' because it does not exist.

However, if I remote desktop into server1, bring up PowerShell, and execute the very same dir command, the contents are correctly listed.

I've tried various things using credentials, but that doesn't seem to fix it. I've also confirmed via the "whoami" command that I have the same identity in both examples.

What would cause this?

Moskie
  • 1,277
  • 2
  • 16
  • 23

3 Answers3

9

If you can't use credential delegation as mentioned above, you can mount (or just authenticate as below) the remote share in the remote session using explicit credentials, e.g.

[server1] ps> net use \\server2\share * /user:username
(prompts for password)
[server1] ps> dir \\server2\share
(listing)

This problem has nothing to do with powershell per-se; you are trying to replay your local credentials in a remote session to a third location and falling foul of the NTLM "double hop" limitation.

x0n
  • 51,312
  • 7
  • 89
  • 111
  • 1
    Doesn't work with the * (only when entering the password cleartext on the command line): net : System error 1312 has occurred. + CategoryInfo : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError A specified logon session does not exist. It may already have been terminated. – brianary Apr 22 '13 at 17:57
  • 1
    hmm.. it must be the interactive prompt from the native console app (net.exe) that blows up the remote session. I wonder if that also blows up in powershell 3.0 - what version did you test? – x0n Apr 22 '13 at 18:36
6

Read the section "Credential Delegation" Here - Credit to Keith Hill and perform the steps if you have not already done so.

Lars Truijens
  • 42,837
  • 6
  • 126
  • 143
dugas
  • 12,025
  • 3
  • 45
  • 51
  • Nice, that looks promising, I'll try it out soon. Thanks for the link, it looks like it has a lot of useful info. – Moskie Feb 10 '10 at 17:04
  • Uh-oh, bad news. As per the instructions there, I executed this command on the remote server: Enable-WSManCredSSP –Role Server. It generated this error: Enable-WSManCredSSP : This Powershell cmdlet is not available on the following platforms: Windows XP and Windows Server 2003. (it's running Server 2003) – Moskie Feb 10 '10 at 17:12
  • And CredSSP client should be available for WinXP SP3, but CmdLet still refuses. http://support.microsoft.com/kb/951608 – Lars Truijens Mar 24 '11 at 16:50
0

Another option is kerberos resource delegation

eg:

$server_name = "my-server" $servers = @(get-adcomputer -identity $server_name)

$target = "target-server" $tgt_srv = get-adcomputer -identity $target

Set-ADComputer -Identity $to_delegate -PrincipalsAllowedToDelegateToAccount $servers

Efren
  • 4,003
  • 4
  • 33
  • 75