For Credential Security Support Provider protocol (CredSSP) to delegate credentials, you must specify which servers can be delegated to. To specify those servers, modify settings in the Group Policy Editor (GPE) Microsoft Management Console (MMC) snap-in. The GPE settings that control delegation are under Computer Configuration | Administrative Templates | System | Credentials Delegation.
Warning This is not constrained delegation. CredSSP passes the user's full credentials to the server without any constraint.
Group policy settings control delegation of the following types of credentials.
| Credentials Type | Description |
|---|
Default credentials | The credentials obtained when the user first logs on to Windows.
|
Fresh credentials | The credentials that the user is prompted for when executing an application.
|
Saved credentials | The credentials that are saved using Credential Manager.
|
To include a server in the category associated with a particular group policy setting, add the Service Principal Name (SPN) of that server to the list of servers for that group policy setting. The SPN can contain a single wildcard character.
Send comments about this topic to Microsoft
Build date: 11/19/2009