🟑 Medium   ⏱ 5–30 min  Last verified: 18 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Remote scripts can access first hop host but fail when contacting downstream file share, SQL, or API endpoint.

Environment & Reproduction

Reproduced when using default Kerberos auth without constrained delegation or CredSSP.

Enter-PSSession -ComputerName 
Invoke-Command -ComputerName  { Test-Path \srv2share }

Root Cause Analysis

Kerberos ticket is not delegated to second hop by default, causing access denied on downstream resource.

Quick Triage

Determine whether workflow requires double-hop and inspect SPN/delegation settings.

Step-by-Step Diagnosis

Audit constrained delegation and service principal mappings.

setspn -Q HTTP/
Get-ADComputer  -Properties msDS-AllowedToDelegateTo
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
WinRM auth and delegation diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Implement Kerberos constrained delegation for required downstream services.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

# Configure delegation in ADUC/PowerShell for srv1 account
klist purge
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Delegation success verification events β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use CredSSP only for tightly controlled admin endpoints with compensating controls.

Verification & Acceptance Criteria

Second-hop access succeeds for approved targets without broad credential exposure.

Rollback Plan

Remove delegation entries and revert remoting to single-hop model if risk posture changes.

Prevention & Hardening

Document remoting trust boundaries and limit delegation scope to explicit services only.

Often co-occurs with SPN duplication and DNS alias canonicalization issues.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: PowerShell remoting authentication, constrained delegation, and CredSSP security guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.