Understand why connections to systems may fail once you set policy to prefer Remote Credential Guard.

Q. I configured Prefer Remote Credential Guard on a system but now it cannot connect to remote systems, why is it not failing back to regular authentication?

A. The Group Policy : Computer Configuration - Administrative Templates - System - Credentials Delegation - Restrict delegation of credentials to remote servers may not be doing exactly what you think it is doing. One of the settings is "Prefer Remote Credential Guard" which many would read as "try Remote Credential Guard and if you can't use it then use regular authentication" but that is not what the policy actually means. What Prefer Remote Credential Guard is to prefer Remote Credential Guard over Restricted Admin but if neither are possible then the connection will simply fail.

Restricted Admin connected a user to a remote server without sending their credentials to the remote host and all further connections to remote services from the remote session would be done as the server computer object itself which posed problems when the computer object did not have permissions to those remote resources.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish