powershell invoke-command access denied exception

Question

I have following script to run some basic commands on remote machine and log the output to the share. I'm getting access denied exception on the share even though the share has full control access for everyone including me executing the script,

script:

 invoke-command -session $s -ScriptBlock {
    param($log) 
    cd 'c:\temp' | out-file $log -NoClobber
    cmd /c 'dir' | out-file $log -NoClobber
} -argumentList '\\share_location\log_file_path.log'

fyi, in the above script the session $s is generated with my credentials.

exception:

Access to the path '\\share_location\log_file_path.log' is denied.
+ CategoryInfo          : OpenError: (:) [Out-File], UnauthorizedAccessException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.OutFileCommand

Could someone suggest what I'm missing here?

Possible duplicate of [What security setting is preventing Remote PowerShell 2.0 from accessing UNC paths](https://stackoverflow.com/questions/8362057/what-security-setting-is-preventing-remote-powershell-2-0-from-accessing-unc-pat) - I think because you're running `Invoke-Command` to run your script on a second computer, it's not allowed to then pass your credentials on to `\\share_location` server as a third computer; it's known as the double-hop issue. — TessellatingHeckler, Jul 10 '17 at 23:20
(NB. the 'everyone' security group no longer means 'everyone' since 2003 or so - https://blog.varonis.com/the-difference-between-everyone-and-authenticated-users/ - "*Contrary to popular belief, anyone who is logged in anonymously—that is, they did not authenticate—will NOT be included in the Everyone group. This used to be the case, but was changed as of Windows 2003 and Windows XP (SP2).*" so if that's your share permission, it's still not enough) — TessellatingHeckler, Jul 10 '17 at 23:24
Try passing the credential object explicitly,May be that will help — Chetan Kulkarni, Jul 11 '17 at 05:33
This is definitely the double hop problem. The [Ashley McGlone technet post](https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/) is a great source for information on this issue. — BenH, Jul 11 '17 at 13:41

score 0 · Answer 1 · answered Oct 28 '19 at 16:26

Enable PSRemoting Service to Start Automatic

on both host and remote machines

Set-Service winrm -StartupType Automatic 
Start-Service winrm

Enable PSREmoting

On both host and remote machines

EnablePSRemoting -Force

Add computers to Trusted Hosts

On Remote machine

Set-Item wsman:\localhost\Client\TrustedHosts -Value "$(hostname),*$((Get-WmiObject Win32_ComputerSystem).Domain)"

Enable Multi Hopping in Powershell Remoting

Identify which hosts to allow passing of Creds

Enable-WSManCredSSP –Role Client –DelegateComputer   "$(hostname),*$((Get-WmiObject Win32_ComputerSystem).Domain)"

On the source machine.

Enable-WSManCredSSP –Role Server

You must specify Authentication and a Credential

on Host Machine

$Cred = [System.Management.Automation.PSCredential]::new("<username>",$("<Password>" | ConvertTo-SecureString -AsPlainText -Force))
invoke-command -ComputerName localhost -ScriptBlock {Write-Host $args[0]} -ArgumentList "Hello!, It Works" -Authentication Credssp -Credential $cred

REFERENCE

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-6