Double hop permissions?

I am troubleshooting what I think is a Kerberos double-hop permissions issue. Here’s the setup:

Server1 = Windows Server 2008 R2
Client1 = Windows 7

The account context in use is the same account on both systems and this account is in the local Administrators group.

On Server1 I have created a symbolic link to a folder on Client1 as follows:
MKLink /D c:\workspace \Client1\c$\workspace

On Client1 I attempt a remote access to Server1 and, via the symbolic link back to the target folder as follows:
enter-pssession Server1
set-location c:\workspace
This last command returns:
“Access to the path c:\workspace is denied.

Note that there is no issue executing Get-ChildItem on the target remotely linked folder while logged directly onto Server1.

I have attempted to resolve the issue with Enable-WSManCredSSP on Client1 as the “Client” Role and on Server1 as the “Server” Role but to no avail.

I have not as yet requested that the Active Directory record for Server1 be granted rights to delegate. Will try that next but if anyone has any suggestions other than that please let me know.


Is the account you are using a domain account or a local account?

With credSSP enabled have you tried accessing the folder on server1 directly rather than through the link?
The other obvioius question to ask is do you really need to go through client1 or can you go direct to server1?

You need to add the “-Authentication Credssp” argument to Enter-PSSession. It’s not enough to just enable that feature on the client and server; you also have to specify that as your connection mechanism for any remoting connections that need to use it.