10.3.3. Procedure – Network Level Authentication without domain membership

Purpose: 

There are scenarios when you want to use PSM to monitor RDP access to servers that accept only Network Level Authentication (NLA, also called CredSSP), but the client, PSM, and the server are not in the same domain (there is no trust between their domains), or any of them is not in a domain at all. For example, you cannot add PSM to the domain for some reason, or the RDP server is a standalone server that is not part of a domain. The following table shows such a scenario.

UserClient domain membershipPSM domain membershipServer domain membership
local or any domainany domainnot a domain member, or other than <server-domain><server-domain>

Limitations: 

  • Server-side redirection may not work.

  • You must properly configure your RDP clients (as described in the following steps).

Steps: 

  1. Navigate to RDP Control > Settings, and clear the Enable Network Level Authentication > Require domain membership option.

  2. Configure your RDP clients.

    • On Windows Vista SP1 and newer platforms (Remote Desktop Protocol 6.1 or newer):

      Navigate to Local Group Policy Editor > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client and enable the Prompt for credentials on the client computer option in the clients. For details, see https://technet.microsoft.com/en-us/library/cc753945%28v=ws.10%29.aspx.

    • On Windows Vista and older platforms (Remote Desktop Protocol 6.0 or older):

      Configure your RDP clients to save the credentials, or make sure that the Allow me to save credentials option is selected in the RDP client.