let's say User A log in server A, and he wants to access the resource on Server B, however User A doesn't have permission to access the resource, User B has resource access permission, so User A needs to use User B's credential.
Normally if we want to use remote session to access resource , we can use cmdlets
However we need to provide User B's credential and password when create remote session. There is potential risk, sometimes we don't want to give the password to operators, in that case, we can use delegated session configuration.
Here is the step
1. Register a new session configuration with "-RunAsCredential UserB" on Server B
Register-PSSessionConfiguration -Name DomainAdmin -RunAsCredential xxx\administrator -ShowSecurityDescriptorUI
Here we create a session configuration named "DomainAdmin", and the session will be run as user "xxx\administrator" credential
2. Grant full access to User A
In the next popup window, grant full access to User A
3. Verify the session configuration
you can run "Get-PSSessionConfiguration" to view the all session configuration on Server B.
or you can run "Set-PSSessionConfiguration DomainAdmin -ShowSecurityDescriptorUI" to configure the permission.
4. Now on server A, create remote session with "-ConfigurationName" parameter
Enter-PSSession -ComputerName ServerB -Credential xxx\UserA -ConfigurationName DomainAdmin
here we use UserA's credential to create remote session, and use session configuration DomainAdmin. so we just need provide password for UserA when creating remote session, then we can run as User B's credential on Server B
so when we run whoami, it shows the current user is administrator(User B).
delegated session configuration is easy to use, and very useful especially on system maintenance work.