10.3.3. Procedure – Network Level Authentication without domain membership


There are scenarios when you want to use PSM to monitor RDP access to servers that accept only Network Level Authentication (NLA, also called CredSSP), but the client, PSM, and the server are not in the same domain (there is no trust between their domains), or any of them is not in a domain at all. For example, you cannot add PSM to the domain for some reason, or the RDP server is a standalone server that is not part of a domain. The following table shows such a scenario.

UserClient domain membershipPSM domain membershipServer domain membership
local or any domainany domainnot a domain member, or other than <server-domain><server-domain>


  • Server-side redirection may not work.


  1. Navigate to RDP Control > Settings, and select the RDP settings policy that you use in your connection policies.

  2. Clear the Enable Network Level Authentication > Require domain membership option.

  3. Click .