Skip to main content

Kerberos Double-Hop Problem

The Kerberos double-hop problem happens when a user logs into a system and tries to access a second system, but authentication fails because Kerberos doesn’t automatically allow credentials to be passed twice (or "hopped" twice).

Example Scenario

Step 1: First Hop (Works)

  1. You (User) log in to Client Machine and access Server A using Kerberos authentication.
  2. Kerberos verifies you and issues a ticket to Server A (so Server A knows who you are).

Step 2: Second Hop (Fails)

  1. From Server A, you try to access Server B (like a database or file server).
  2. But Server A does not have permission to pass your credentials to Server B, because Kerberos does not allow credential forwarding by default.
  3. Server B rejects the request, as it does not know who you are.

This failure is called the double-hop problem because the authentication cannot "hop" twice.

Solution: Credential Delegation

To fix this, you need to enable Kerberos delegation, which allows Server A to forward your credentials to Server B securely.

  • Unconstrained Delegation: Server A can forward credentials to any server (less secure).
  • Constrained Delegation: Server A can only forward credentials to specific servers (more secure).
  • Protocol Transition with Constrained Delegation: Allows non-Kerberos authentication (e.g., NTLM) to be converted into Kerberos.

Workarounds

More: https://posts.slayerlabs.com/double-hop/

Evil-WinRM Session

Import-Module .\PowerView.ps1
Get-DomainUser -spn # None of the command works

# Fix
$SecPassword = ConvertTo-SecureString 'Coolpass123@' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('REZYDEV\sqldb', $SecPassword)

# Pass credentials ($Cred Variable) along with the command
Get-DomainUser -spn -credential $Cred | select samaccountname