CredSSP Group Policy Settings

For Credential Security Support Provider protocol (CredSSP) to delegate credentials, you must specify which servers can be delegated to. To specify those servers, modify settings in the Group Policy Editor (GPE) Microsoft Management Console (MMC) snap-in. The GPE settings that control delegation are under Computer Configuration | Administrative Templates | System | Credentials Delegation.

Caution

This is not constrained delegation. CredSSP passes the user's full credentials to the server without any constraint.

Group policy settings control delegation of the following types of credentials.

Credentials Type Description
Default credentials
The credentials obtained when the user first logs on to Windows.
Fresh credentials
The credentials that the user is prompted for when executing an application.
Saved credentials
The credentials that are saved using Credential Manager.

To include a server in the category associated with a particular group policy setting, add the Service Principal Name (SPN) of that server to the list of servers for that group policy setting. The SPN can contain a single wildcard character.