Invoke-command unable to copy a shared network folder?

Question

I have been working on a script that can remove an old version of zabbix from our servers, and install the latest version.

I am having a problem copying a file from a shared folder when I am using invoke-command.

I can run this script directly from the target machine and I can copy the folder perfectly:

$Installer = '\\Server01\Zabbix'
Write-Host -f green "[INFO]: Attempting to copy the folder located on $installer." 
 
 
 try{
 Copy-Item -Path  $installer -Destination c:\ -recurse -force
 Write-Host -f green "[INFO]: $installer is succesfully copied on C:\Zabbix on $env:computername." }
 catch
 {write-host -f red "[ERROR]: Copying $installer encountered an error on $env:computername : $error"
 $error.clear()}

Since I will be running this on multiple servers, I chose the method:

Invoke-Command -ComputerName $server -ScriptBlock{}

here is a sample code:

$servers = @( 'Server02')

foreach ($server in $servers) {
Invoke-Command -ComputerName $server -ScriptBlock {

 $Installer = '\\Server01\Zabbix'
Write-Host -f green "[INFO]: Attempting to copy the folder located on $installer." 
 
 try{
 Copy-Item -Path  $installer -Destination c:\ -recurse -force
 Write-Host -f green "[INFO]: $installer is succesfully copied on C:\Zabbix on $env:computername." }
 catch
 {write-host -f red "[ERROR]: Copying $installer encountered an error on $env:computername : $error"
 $error.clear()}

}}

and below is the error message:

[INFO]: Attempting to copy the folder located on \\Server01\Zabbix.
Access is denied
    + CategoryInfo          : PermissionDenied: (\\Server01\Zabbix:String) [Copy-Item], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand
    + PSComputerName        : Server02
Cannot find path '\\Server01\Zabbix' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\\Server01\Zabbix:String) [Copy-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyItemCommand
    + PSComputerName        : Server02

I am using the same accounts, when accessing server 02 directly and running the commands without invoke-command. Access should be fine.

can anyone help?

thanks!

Answer 1

PowerShell doesn't support second-hop out of the box.

I.e You invoke the command remotely with you credentials on Server1.
When Server1 in turn tries to access resources on Server2, it hasn't access to your credentials as you normally don't pass them forward for further use.

In that case you either need to allow the credentials of the computer account of Server1 to access Server2 or use a method that will either allow passing along your credentials or allow account delegation.

See MS Learn - Making the second hop in PowerShell Remoting

CredSSP used to be the prefered option, but MS has put some further restrictions on using CredSSP which might make it fail.

So I would opt for using JEA (Just Enough Administration) instead if you don't have access to Kerberos delegation in the AD.

A third option is to use SSH for PowerShell remoting instead, as SSH actually do store your credentials on each hop. But that doesn't work with Windows PowerShell 5.1 or earlier.