Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 12, 2019 3:14 AM
Hello, everyone! I recently meet a strange problem about double hop.
I try to run the following PowerShell command
$credential = Get-Credential
$computerName = "frxp02361Dmbssh"
$psdrive1 = @{
Name = "PSDrive1"
PSProvider = "FileSystem"
Root = "\\mbssh01\Tool"
Credential = $credential
}
$psdrive2 = @{
Name = "PSDrive2"
PSProvider = "FileSystem"
Root = "\\dyn\AX"
Credential = $credential
}
$psdrive3 = @{
Name = "PSDrive3"
PSProvider = "FileSystem"
Root = "\\scmlabe3\SCM"
Credential = $credential
}
$psdrive4 = @{
Name = "PSDrive4"
PSProvider = "FileSystem"
Root = "\\codeflow\public"
Credential = $credential
}
Invoke-Command -ComputerName $computerName -ScriptBlock {
New-PSDrive @using:psdrive1
New-PSDrive @using:psdrive2
New-PSDrive @using:psdrive3
New-PSDrive @using:psdrive4
}
Finally, I successfully create new PSDrives of "\mbssh01\Tool", "\scmlabe3\SCM", "\codeflow\public" EXCEPT FOR "\dyn\AX"
I received the following error:
Name Used (GB) Free (GB) Provider Root CurrentLocatio PSComputerNam
n e
PSDrive1 \\mbssh01\Tool frxp02361D...
A specified logon session does not exist. It may already have been terminated
+ CategoryInfo : InvalidOperation: (PSDrive2:PSDriveInfo) [New-PSDrive], Win32Exception
+ FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
+ PSComputerName : frxp02361Dmbssh
PSDrive3 \\scmlabe3\SCM frxp02361D...
PSDrive4 \\codeflow\public frxp02361D...
We can see the command "New-PSDrive @using:psdrive2" failed.
But the other three commands all succeed.
I have tested that I can access the folder "\dyn\AX" in File Explorer when I login into the remote computer.
Can anyone help me? I will be very grateful!
All replies (7)
Friday, July 12, 2019 4:01 PM
Hi,
I am not sure about the actual issue because if psdrive2 is failed then psdrive3 & psdrive4 also must be failed.
Can you please try as below:
1. Use credential only in the invoke command and remove from the objects.
$credential = Get-Credential
$computerName = "frxp02361Dmbssh"
$psdrive1 = @{
Name = "PSDrive1"
PSProvider = "FileSystem"
Root = "\\mbssh01\Tool"
}
$psdrive2 = @{
Name = "PSDrive2"
PSProvider = "FileSystem"
Root = "\\dyn\AX"
}
$psdrive3 = @{
Name = "PSDrive3"
PSProvider = "FileSystem"
Root = "\\scmlabe3\SCM"
}
$psdrive4 = @{
Name = "PSDrive4"
PSProvider = "FileSystem"
Root = "\\codeflow\public"
}
Invoke-Command -ComputerName $computerName -Credential $credential -ScriptBlock {
New-PSDrive @using:psdrive1
New-PSDrive @using:psdrive2
New-PSDrive @using:psdrive3
New-PSDrive @using:psdrive4
}
2. Also try changing the order of the drive to verify that issue is with psdrive2 or with the 2nd object.
As I am new to this forum, please ignore the mistakes...
Sunday, July 14, 2019 1:59 PM
Hello, Imran_Khan_180, I am sorry for the late reply. I was ill yesterday and today feel better.
Thanks for you suggestions, I have tried them.
1. If I only use credential in Invoke-Command, I can indeed create four new PSDrives.
>> $psdrive1 = @{
>> Name = "PSDrive1"
>> PSProvider = "FileSystem"
>> Root = "\\mbssh01\Tool"
>> }
>>
>> $psdrive2 = @{
>> Name = "PSDrive2"
>> PSProvider = "FileSystem"
>> Root = "\\dyn\AX"
>> }
>>
>> $psdrive3 = @{
>> Name = "PSDrive3"
>> PSProvider = "FileSystem"
>> Root = "\\scmlabe3\SCM"
>> }
>>
>> $psdrive4 = @{
>> Name = "PSDrive4"
>> PSProvider = "FileSystem"
>> Root = "\\codeflow\public"
>> }
>>
>> Invoke-Command -ComputerName $computerName -Credential $credential -ScriptBlock {
>> New-PSDrive @using:psdrive1
>> New-PSDrive @using:psdrive2
>> New-PSDrive @using:psdrive3
>> New-PSDrive @using:psdrive4
>> \\mbssh01\Tool\RockVM\RockVM.ps1 /silent
>> }
Name Used (GB) Free (GB) Provider Root CurrentLocation PSComputerName
PSDrive1 \\mbssh01\Tool frxp023700mbssh
PSDrive2 \\dyn\AX frxp023700mbssh
PSDrive3 \\scmlabe3\SCM frxp023700mbssh
PSDrive4 \\codeflow\public frxp023700mbssh
Access is denied
+ CategoryInfo : OperationStopped: (:) [], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException
+ PSComputerName : frxp023700mbssh
But you can see I can't access any resource under "\mbssh01\Tool".
But if I use credential inside the PSDrive object, I can access the resource under "\mbssh01\Tool" although I can't create a new PSDrive for "\dyn\AX". Result is as following:
>> $psdrive1 = @{
>> Name = "PSDrive1"
>> PSProvider = "FileSystem"
>> Root = "\\mbssh01\Tool"
>> Credential = $credential
>> }
>>
>> $psdrive2 = @{
>> Name = "PSDrive2"
>> PSProvider = "FileSystem"
>> Root = "\\dyn\AX"
>> Credential = $credential
>> }
>>
>> $psdrive3 = @{
>> Name = "PSDrive3"
>> PSProvider = "FileSystem"
>> Root = "\\scmlabe3\SCM"
>> Credential = $credential
>> }
>>
>> $psdrive4 = @{
>> Name = "PSDrive4"
>> PSProvider = "FileSystem"
>> Root = "\\codeflow\public"
>> Credential = $credential
>> }
>>
>> Invoke-Command -ComputerName $computerName -ScriptBlock {
>> New-PSDrive @using:psdrive2
>> New-PSDrive @using:psdrive1
>> New-PSDrive @using:psdrive3
>> New-PSDrive @using:psdrive4
>> \\mbssh01\Tool\RockVM\RockVM.ps1 /silent
>> }A specified logon session does not exist. It may already have been terminated A specified logon session does not exist. It may already have been terminated
+ CategoryInfo : InvalidOperation: (PSDrive2:PSDriveInfo) [New-PSDrive], Win32Exception
+ FullyQualifiedErrorId : CouldNotMapNetworkDrive,Microsoft.PowerShell.Commands.NewPSDriveCommand
+ PSComputerName : frxp023700mbssh
Name Used (GB) Free (GB) Provider Root CurrentLocation PSComputerName
PSDrive1 \\mbssh01\Tool frxp023700mbssh
PSDrive3 \\scmlabe3\SCM frxp023700mbssh
PSDrive4 \\codeflow\public frxp023700mbssh
Transcript started, output file is \\mbssh01\Tool\RockVM\Logs\RockVM_FRXP023700MBSSH_2019071465325.log
Here is the information of the VM you will create
Datastore : /silent
Branch : AppMU
Build : Latest
InstallRetail : 0
InstallMR : 0
Memory : 25GB
CopyPath : D:\VM
Virtual Switch:
Recycle :
Do you confirm to continue? (Y/N):
2. Change the order of there commands can't solve the problem.
Sunday, July 14, 2019 2:04 PM
Hi,
I am not sure about the actual issue because if psdrive2 is failed then psdrive3 & psdrive4 also must be failed.
Can you please try as below:
1. Use credential only in the invoke command and remove from the objects.
$credential = Get-Credential $computerName = "frxp02361Dmbssh" $psdrive1 = @{ Name = "PSDrive1" PSProvider = "FileSystem" Root = "\\mbssh01\Tool" } $psdrive2 = @{ Name = "PSDrive2" PSProvider = "FileSystem" Root = "\\dyn\AX" } $psdrive3 = @{ Name = "PSDrive3" PSProvider = "FileSystem" Root = "\\scmlabe3\SCM" } $psdrive4 = @{ Name = "PSDrive4" PSProvider = "FileSystem" Root = "\\codeflow\public" } Invoke-Command -ComputerName $computerName -Credential $credential -ScriptBlock { New-PSDrive @using:psdrive1 New-PSDrive @using:psdrive2 New-PSDrive @using:psdrive3 New-PSDrive @using:psdrive4 }2. Also try changing the order of the drive to verify that issue is with psdrive2 or with the 2nd object.
As I am new to this forum, please ignore the mistakes...
I can do nothing about the problem, and I even suspect it's a bug of powershell.
Monday, July 15, 2019 6:35 AM
Hi,
Thanks for your question.
Is the "\mbssh01\Tool" shared folder on your target computer frxp02361Dmbssh?
The "second hop problem" refers to a situation like the following:
You are logged in to ServerA.
From ServerA, you start a remote PowerShell session to connect to ServerB.
A command you run on ServerB via your PowerShell Remoting session attempts to access a resource on ServerC.
Access to the resource on ServerC is denied, because the credentials you used to create the PowerShell Remoting session are not passed from ServerB to ServerC.
You can use CredSSP to solve the second-hop problem.
Please refer the link below:
https://devblogs.microsoft.com/scripting/enable-powershell-second-hop-functionality-with-credssp/
Best regards,
Lee
Just do it.
Thursday, July 18, 2019 1:50 AM
I know CredSSP is a solution, but I can not try it.
Because CredSSP does not comply the security policy of my company.
Thanks for your advice.
I have spent days in solving the problem, but it seems that I can't solve it.
Wednesday, July 31, 2019 8:05 AM
Hi,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Lee
Just do it.
Tuesday, March 31, 2020 2:38 PM
Hey. I'm unsure if it will help in this situation, but there is a secure solution to the 2nd-hop problem. Find the details here: https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-remoting-kerberos-double-hop-solved-securely