Powershell invoke-command multihopping

Question

I have a question regarding multihopping in a windows environment.
Let's say I have a schedule running on Server A (Central Scheduler) which executes a command on Server B. This script contains a call to save files on a remote filer (UNC path, Server C). Hop 1 (from A to B) works well, hop 2 (from B to C) fails. I already tested to save the files locally on server B, that works flawlessly. I think there's a problem with the second hop. I remember reading something like this on a forum a while ago, but can't remember a solution.
In detail, the command looks like this:

$session = New-PSSession -computer ComputerName    
$templatepath = "\\filerpath\"
Invoke-Command -Session $session -Scriptblock { powershell ovpmutil cfg pol dnl $Using:templatepath /p \BSH }

To clarify: Powershell gives me an "Access denied" when performing the second hop. I already enabled Credential delegation as described here: Enabling Multihop Remoting
Any help is appreciated.
Thanks in advance

Answer 1

The solution is a real pain in the backside if you ask me but here it is...

On the originating server (A):

Set-Item WSMAN:\localhost\client\auth\credssp -value $true

On the intermediate server (B):

Set-Item WSMAN:\localhost\client\auth\credssp -value $true

Open Group Policy editor on server A, navigate to:

Computer Configuration > Administrative Templates > System > Credentials Delegation

Enable these options:

• Allow delegating fresh credentials
• Allow delegating fresh credentials with NTLM-only server authentication

Both policies need to have server B added to the allowed list, wildcards are allowed. Note that if you use RDP from server A you'll also need to add TERMSRV/*

When running Invoke-Command from server A, include the -Authentication CredSSP param.

Note that if saving SecureStrings somewhere for the credential to connect to server C, you'll want to either use a fixed encryption (specify byte array) or plain text and convert it.