5378 The requested credentials delegation was disallowed by policy
Written when a requested credential delegation is disallowed by policy. It captures the restriction of credential forwarding (multi-hop) via CredSSP.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated when credential delegation via CredSSP (a mechanism that delegates credentials to another server so it can access yet another resource; used in RDP multi-hop, etc.) is not permitted by the configured policy.
How it is triggered
- When an app (an RDP client, etc.) requests credential delegation and it is denied for not matching the delegation-allow policy.
Security review points
- A delegation denial is basically the result of defenses working. Still, if delegation requests recur to unexpected servers or paths, it can be material to suspect activity trying to carry credentials to another host (aiming to expose credentials over a multi-hop).
- Since delegation means credentials end up in a remote server’s memory, view it together with management of delegation targets (especially avoiding unconstrained delegation).
Notes for log review
- Legitimate use is often denied due to a policy misconfiguration. Check the requester and target server to separate configuration-induced from suspicious requests.
- Note cases where the delegation request’s destination is outside the expected allow list.
Key fields
| Field | Meaning |
|---|---|
Account Name | The account that requested delegation |
| Target server | The delegation target |
Glossary
- CredSSP / credential delegation — a mechanism that entrusts credentials to the connected server so it can access other resources. Convenient, but if the entrusted server is compromised, the credentials are exposed.