Due to the fact that PowerShell uses Kerberos (if available) and NTLM for authentication, the credentials are never transmitted to the destination computer, which results in the most secure way to authenticate. Unfortunately, because the remote machine is now lacking these specific credentials, it is not possible to connect to another machine from the remoting one. This problem is called the double hop or second hop problem. To accomplish this task, there are the following possibilities available:
- CredSSP
- Kerberos delegation (unconstrained)
- Kerberos constrained delegation
- Resource-based Kerberos constrained delegation
- PSSessionConfiguration using RunAs
- Just Enough Administration (JEA)
- Pass credentials inside an Invoke-Command script block
If you encounter this problem, it is important to investigate your specific use case, as all of these mechanisms may have pros and cons. A good guide, with examples, can be found at the following link: https://docs.microsoft.com/en-us/powershell/scripting/setup/ps-remoting-second-hop.
We will focus on Just Enough Administration, which will be described in depth in the following chapter.