CredSSP is represented by the PROTOCOL_HYBRID (0x00000002) and PROTOCOL_HYBRID_EX (0x00000008) flags in the RDP Negotiation Request (section 22.214.171.124.1) and RDP Negotiation Response (section 126.96.36.199.1) structures. The Credential Security Support Provider (CredSSP) Protocol (see [MS-CSSP]) is essentially the amalgamation of TLS with Kerberos and NT LAN Manager (NTLM). Besides enabling authentication of the remote computer's identity, the Credential Security Support Provider (CredSSP) Protocol also facilitates user authentication and the transfer of user credentials from client to server, hence enabling single-sign-on scenarios.
When the Credential Security Support Provider (CredSSP) Protocol begins execution, the TLS handshake will always be executed. Once a TLS channel has been successfully established (the identity of the server may have been authenticated in the process), Kerberos or NTLM will be used within the TLS channel to authenticate the user (and the server as well if Kerberos is being used). Once Kerberos or NTLM has completed successfully, the user's credentials are sent to the server. Traffic on the wire remains encrypted with TLS and is wrapped by TLS headers. There is no double-encryption of traffic because the Kerberos (or NTLM) session is securely bound to the TLS session.