Boundary
RDP credential injection compatibility matrix
Enterprise
This feature requires HCP Boundary or Boundary Enterprise
Credential injection provides users with a passwordless experience when they connect to targets by automatically injecting credentials without exposing them to the user.
You can configure RDP targets for credential injection using a supported authentication method:
- Network Level Authentication (NLA) is supported.
- Kerberos and NTLMv2 authentication methods are supported for domain-joined workers.
- NTLMv2 is supported for non-domain-joined workers.
RDP credential injection also has the following specific network requirements:
- UDP transport must be disabled.
- Server redirection is not supported.
- The maximum supported TLS version is 1.2. TLS 1.3 is incompatible with Windows Server 2025.
HashiCorp has tested and confirmed that RDP credential injection is compatible with the following versions of Windows. We will update this topic as we test new versions.
Windows Server 2025
| Client OS | Kerberos only | Kerberos + NTLMv2 (domain-joined worker) | Kerberos + NTLMv2 (non-domain worker) |
|---|---|---|---|
| Windows 11 | ✅ | ✅ | ✅ |
| Windows 10 | ✅ | ✅ | ✅ |
| macOS 15 | ✅ | ✅ | ✅ |
Windows Server 2022
| Client OS | Kerberos only | Kerberos + NTLMv2 (domain-joined worker) | Kerberos + NTLMv2 (non-domain worker) |
|---|---|---|---|
| Windows 11 | ✅ | ✅ | ✅ |
| Windows 10 | ✅ | ✅ | ✅ |
| macOS 15 | ✅ | ✅ | ✅ |
Windows Server 2019
| Client OS | Kerberos only | Kerberos + NTLMv2 (domain-joined worker) | Kerberos + NTLMv2 (non-domain worker) |
|---|---|---|---|
| Windows 11 | ✅ | ✅ | ✅ |
| Windows 10 | ✅ | ✅ | ✅ |
| macOS 15 | ✅ | ✅ | ✅ |
Windows Server 2016
| Client OS | Kerberos only | Kerberos + NTLMv2 (domain-joined worker) | Kerberos + NTLMv2 (non-domain worker) |
|---|---|---|---|
| Windows 11 | ✅ | ✅ | ✅ |
| Windows 10 | ✅ | ✅ | ✅ |
| macOS 15 | ✅ | ✅ | ✅ |
Troubleshooting
Q: Why am I getting a certificate warning when I connect?
A: This is expected behavior. Boundary generates a self-signed certificate for each RDP target. You must accept this certificate on your first connection.
Q: My connection is failing immediately. What should I check first?
A: Check the session_connection_limit on your target. It cannot be set to 1.
Leave it unset, or set it to 2 or higher.
Refer to Targets for more information.
Q: Why can't I connect to my RDP transparent session on Windows by just using its name?
A: Modern Windows versions block local applications from using the default RDP port (3389).
You must use a workaround, such as connecting to a custom port or using a pre-configured .rdp file.
Refer to RDP targets for more information.
Q: Does this work with servers that require Entra ID login?
A: No. At this time, only servers using traditional Kerberos or NTLMv2 authentication are supported.
More information
For more information, refer to the following topics: