0

I'd like to Enter-PSSession to server A and list the directory contents of a share on server B.

I'd hoped to do this by setting Kerberos Constrained Delegation on server A's Active Directory properties to enable Kerberos Constrainted Delegation to the cifs (SMB) service on server B. However, after I do this, when I go to list the directory contents of the share on server B from a PSSession on server A I get PermissionDenied...

I also don't see any Kerberos traffic on Server A indicating it's trying to get a ticket to server B.

Anyone know what I'm doing wrong?

All computers are running Windows Server 2012 R2.

Thanks!

chris king
  • 11
  • 2
  • Well, I did get it working for a second, so there is a way to do this with Kerberos Constrained Delegation. It worked after I enabled all services, not just cifs... However when I then removed all services and issued a klist purge but it kept working... When I closed and re-opened the PSSession it stopped working... So something must be replicating... however I'm only running with one DC... so I wonder if there's a way to force a refresh somewhere... – chris king Apr 17 '15 at 04:26
  • Could it be you default server GPO overriding the setting? – Jan Chrbolka Apr 17 '15 at 05:00
  • I did have a bunch of CredSSP crud in my GPO when I tried that approach. So I disabled all that, replicated, and gpupdated but still no dice. I don't think that was the problem because for a second it was working. So there is some way to configure the delegation tab of server A to make this work. But I can't reproduce it. I'm guessing the setting needs to replicate or be refreshed somewhere... – chris king Apr 17 '15 at 05:06
  • Got it working again. The settings now are "Trust this computer for delegation to specified services only" + "Use any authentication protocol" + every service. So now I'll see if I can't limit it to "Use Kerberos only" and reduce the number of services... I wish I knew why the settings didn't take effect immediately. – chris king Apr 17 '15 at 05:09
  • I was going to suggest this [article](http://blogs.technet.com/b/matthts/archive/2012/06/10/configuring-kerberos-constrained-delegation-for-hyper-v-management.aspx) , but it looks like you are almost there. – Jan Chrbolka Apr 17 '15 at 05:11
  • Yeah, thanks. I found that article first and tried to adapt what I learned to get this scenario working. When it was working klist on server A showed a ticket with `Server: cifs/serverB.ad.foo.com @ AD.FOO.COM` But when I reduced to just "User Kerberos" and only granted cifs for serverB it stopped working. So now I'm guessing there must be another service type needed. But when I revert everything back to the configuration that was working and try again it doesn't work straight away... I have to wait for something... wish I knew what... – chris king Apr 17 '15 at 05:16

1 Answers1

1

Ah ha! There is a negative Kerberos cache that expires every 15 minutes. See here.

Apparently, it can be disabled by creating a DWORD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\S4UCacheTimeout with value 0. When I did that my Active Directory changes took effect immediately on ServerA.

After disabling the negative cache I can set the delegation on ServerA to Trust this computer for delegation to specified services only + Use Kerberos only + cifs/ServerB and bingo! I can access the file share on ServerB from a PSSession in ServerA.

So happy!

chris king
  • 11
  • 2
  • Disabling Wireshark analyze sequence number cleaned up a lot of noise for me. – chris king Apr 17 '15 at 07:10
  • If you see KDC_ERR_BADOPTION in your network capture then [this](http://blogs.technet.com/b/askds/archive/2012/07/27/kerberos-errors-in-network-captures.aspx) has some good info. – chris king Apr 17 '15 at 07:13
  • See [also](http://blogs.msdn.com/b/taylorb/archive/2012/11/06/remote-administration-without-constrained-delegation-using-principalsallowedtodelegatetoaccount.aspx) – chris king Apr 17 '15 at 07:26
  • See [also](http://windowsitpro.com/security/how-windows-server-2012-eases-pain-kerberos-constrained-delegation-part-1). Looks like the approach through AD has been superseded. New approach doesn't require AD permissions... – chris king Apr 17 '15 at 07:58