While this is an absolute hack, and I'm sure you've already moved on from this problem, one workaround is to create a scheduled task (using the Windows schtasks command) and execute it immediately to perform the copy. The scheduled task will run in the proper context and be able to copy from the server without encountering the double-hop issue, because it originates from the client machine. I'm sure there's an actual Ansible-level solution to this problem, but this is my current workaround.
Your higher level script can use psutil or something similar to monitor the task and not return until the scheduled task has completed.
Here's an helper script I wrote in Python for accomplishing this:
# run_as_scheduled_task.py
import psutil
import subprocess
import time
import sys
to_match = sys.argv[1]
to_run = ' '.join(sys.argv[2:])
print("Running the following command as immediate scheduled task:")
print(to_run)
print("Will return only once process matching wildcard \"{0}\" is no longer found".format(to_match))
subprocess.call('C:\\Windows\\System32\\schtasks /delete /f /tn "QUICKSCHTASK"', stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
subprocess.call('C:\\Windows\\System32\\schtasks /create /tn "QUICKSCHTASK" /tr "{0}" /sc ONCE /st 00:00'.format(to_run), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
subprocess.call('C:\\Windows\\System32\\schtasks /run /tn "QUICKSCHTASK"', stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
time.sleep(0.1)
def processDead(proc):
print("Process is now dead - {0}".format(proc))
subprocess.call('C:\\Windows\\System32\\schtasks /delete /f /tn "QUICKSCHTASK"', stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
process = None
for proc in psutil.process_iter():
if to_match in proc.name():
gone, still_alive = psutil.wait_procs([proc], None, processDead)
break
You can call this from a higher level script to perform operations and circumvent the double hop. Very hacky, but it works. Example usage of script would be:
start /wait py -3 run_as_scheduled_task.py 'robocopy' 'robocopy SOURCE DEST'
An alternative method is to call psexec on the target machine with the -s flag to use the System account. More information on that here: https://stackoverflow.com/questions/15242248/double-hop-access-to-copy-files-without-credssp