There are scenarios when you want to use One Identity Safeguard for Privileged Sessions (SPS) to monitor RDP access to servers that accept only Network Level Authentication (NLA, also called CredSSP), but the client, SPS, and the server are not in the same domain (there is no trust between their domains), or any of them is not in a domain at all. For example, you cannot add SPS to the domain for some reason, or the RDP server is a standalone server that is not part of a domain. The following table shows such a scenario.

User Client domain membership SPS domain membership Server domain membership
local or any domain any domain not a domain member, or other than <server-domain> <server-domain>
  • Server-side redirection may not work.

To use NLA without domain membership

  1. Navigate to RDP Control > Settings, and select the RDP settings policy that you use in your connection policies.

  2. Clear the Enable Network Level Authentication > Require domain membership option.

  3. Click Commit.