Specific Double-Hop GPO Exceptions (CredSSP)

Hi All,

We have decided to disable the use of CredSSP in our organisation due to security concerns and are therefore not able to perform any double hops. In most cases this is fine, but a scenario has now arisen where we would like to add an exception to allow specified servers/workstations to use CredSSP.

The reason for this, is that we use the SolarWinds PowerShell checker to monitor certain things. We recently tried to monitor the status of a Lync 2010 federation by using a PowerShell script. The script works great locally, but fails from SolarWinds and when ran remotely.

It turns out that the command “Test-CsFederatedPartner” needs to get some information from AD, which causes a Double-Hop and therefore fails.

Is there anyway to add an exception to a GPO that says something like “Allow solarwinds.consoto.com to use CredSSP on all machines”. Similar to a trusted site etc.

I am probably asking for too much, but would really appreciate any exceptions!

Is there a specific reason that you can’t use Kerberos constrained delegation? I’m not aware of any way to generate an exception list for CredSSP.

Thanks Monte, I had completely overlooked Kerberos delegation, but after rereading these two articles I will give it a try:

https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
https://blogs.technet.microsoft.com/ashleymcglone/2017/04/12/powershell-remoting-and-kerberos-double-hop-old-problem-new-secure-solution/

Thank you
Josh