The double-hop problem describes a scenario in PowerShell where remoting is used to connect to a host and the remote host tries to connect to another resource. In this scenario, the second connection, the second hop, fails because authentication cannot be implicitly passed.
There have been numerous articles discussing this problem over the years. Ashley McGlone published a blog post in 2016 that describes the problem and each of the possible solutions:
This section briefly explores using CredSSP, as well as how to pass explicit credentials to a remote system. Neither of these options is considered secure, but they require the least amount of work to implement.
The two options discussed as follows are therefore useful when:
- The remote endpoint is trusted and has not been compromised.
- Critical authentication tokens can be extracted by any administrator on the remote system
- They are not used for wide-scale regular or scheduled automation, as the methods significantly increase exposure