# RDP (Password) This guide describes how to add an RDP (Password) server as a resource in StrongDM. An RDP (Password) server resource in StrongDM represents a combination of a host (IP address or DNS name) and authentication credentials (username and password) that the StrongDM node (gateway, relay, or proxy worker) will use to connect via the Microsoft Remote Desktop Protocol (RDP). The node establishes secure connectivity and streams the session to the user through StrongDM, allowing centralized access controls, auditing, and session capture. If you intend to use certificate authentication, please see the section for the [RDP (Certificate Authentication)](https://docs.strongdm.com/admin/resources/servers/rdp-certificate-auth) resource type. ### Limitations * StrongDM supports only the standard Microsoft Remote Desktop Connection client (MSTSC) on Windows. It may not fully support other RDP clients (for example, the newer Remote Desktop app from the Windows Store). * Clients on Windows 11 version 24H2 must be on build version 26100.3323 or higher to avoid known incompatibilities with StrongDM. * Only NTLM authentication is supported for this RDP (Password) resource type. If the Windows user account is placed into the “Protected Users” group in Active Directory, NTLM is blocked, and StrongDM connectivity will fail. * The health indicator in the Admin UI reflects network reachability and not full authentication success; a healthy status means StrongDM could connect to the host, not necessarily that the credentials were correct. ### Prerequisites Before you begin, ensure that the following requirements are met: * The RDP (Password) server must be configured to require TLS encryption from connecting clients, rather than RDP native encryption. * A StrongDM node is deployed and can reach the target Windows host (hostname or IP and RDP port, default 3389). To verify, go to the gateway or relay server and from a command prompt, type `ping `. If your gateway or relay can connect to this hostname, you can continue. For more information see [nodes](https://docs.strongdm.com/admin/networking/gateways-and-relays). * The Windows host is configured to allow RDP connections (Remote Desktop Service enabled, users permitted to log in via RDP). * Credentials (username and password) exist on the Windows host with sufficient privileges to log in remotely. * The Windows host ensures RDP uses TLS encryption, rather than older native RDP encryption. * Firewall or network rules permit the node to connect to the host’s RDP port. * User sessions may be captured/audited by StrongDM; ensure any host firewall or Windows log settings allow login tracking as needed. * If using [Identity Aliases for RDP](#use-identity-aliases-for-rdp-password-authentication) username/password authentication, a secret store must be set up. ## Add the Resource in StrongDM After you have set up your RDP (Password) server, you can add it as a resource in StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add the resource to StrongDM, use the following steps. 1. Log in to the Admin UI and go to **Resources** > **Managed Resources**. 2. Click **Add Resource**. 3. Select **RDP** (Password) as the **Resource Type** and set other [resource properties](#resource-properties) to configure how the StrongDM relay connects to the server. 4. Click **create** to save the resource. 5. Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://docs.strongdm.com/references/cli) documentation. 1. In your terminal or Command Prompt, log in to StrongDM: ``` sdm login ``` 2. Run `sdm admin servers add rdp --help` to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which [properties](#resource-properties) are required and collect the values for them. ``` $ sdm admin servers add rdp --help NAME: sdm admin servers add rdp - create RDP (Password) server USAGE: sdm admin servers add rdp [command options] OPTIONS: --bind-interface value IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default") --downgrade-nla-connections Note: when downgraded, StrongDM cannot verify usernames and passwords for Remote Desktop connections --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --hostname value (required) --lock-required Require a resource lock to access the resource to ensure it can only be used by one user at a time. --password value (required, secret) --port value (default: 3389) --port-override value Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1) --proxy-cluster-id value proxy cluster id --secret-store-id value secret store id --subdomain value, --bind-subdomain value DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.."). Only applicable to HTTP-based resources or resources using virtual networking mode. --tags value tags e.g. 'key=value,...' --template, -t display a JSON template --timeout value set time limit for command --username value (required, secret) ``` 3. Run `sdm admin servers add rdp ` to add the resource in StrongDM Set all required properties with their values. For example: ``` sdm admin servers add rdp "windows-rdp-prod-01" --hostname "win-server01.acme.internal" --port 3389 --username "CORP\\rdp_user" --password "SuperSecretP@ssw0rd" --bind-interface "default" --port-override -1 --egress-filter 'field:name tag:env=prod tag:region=us-west' --proxy-cluster-id "plc_0123456789abcdef" --secret-store-id "ss_abcdef0123456789" --downgrade-nla-connections --tags "env=prod,role=win,team=infra" --timeout 30 ``` 1. Note that the `--username` and `--password` options apply only when configuring an RDP server that uses standard username/password authentication. \ If you configure the server to use Identity Aliases for RDP password authentication, do not set these fields directly. Instead, set the `username (path)` and `password (path)` properties to reference your external Secret Store and include the `$SDM_USERNAME` variable. For example: ``` Username (path): path/to/user/$SDM_USERNAME?key=username Password (path): path/to/user/$SDM_USERNAME?key=password ``` \ The `$SDM_USERNAME` variable is replaced at runtime with the user’s Identity Alias, allowing StrongDM to retrieve that user’s credentials securely from the Secret Store. 4. Check that the resource has been added. The output of the following command should show the resource's name: ``` sdm admin resources list ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from the Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create RDP (Password) server (username and password) resource "sdm_resource" "windows_rdp_prod_01" { rdp { # Required name = "windows-rdp-prod-01" # hostname = "win-server01.acme.internal" # --hostname port = 3389 # --port (default 3389) username = "CORP\\rdp_user" # --username password = "SuperSecretP@ssw0rd" # --password (use a secret store in prod) # Common networking options bind_interface = "default" # --bind-interface ("default" | "loopback" | "vnm") port_override = -1 # --port-override (-1 = auto-allocate) egress_filter = "field:name tag:env=prod tag:region=us-west" # --egress-filter subdomain = "rdp-prod01" # --subdomain (applies with virtual networking) # Connection behavior downgrade_nla_connections = true # --downgrade-nla-connections (only if needed) # Optional integrations proxy_cluster_id = "plc_0123456789abcdef" # --proxy-cluster-id secret_store_id = "ss_abcdef0123456789" # --secret-store-id # Tags tags = { # --tags env = "prod" role = "win" team = "infra" } } } ## Create RDP (Password) server (Identity Aliases with username and password paths) resource "sdm_resource" "windows_rdp_identity_alias" { rdp { name = "windows-rdp-identity-alias" hostname = "win-server01.acme.internal" port = 3389 authentication = "identity_aliases" secret_store_id = "ss_abcdef0123456789" ## Note: $SDM_USERNAME is replaced at runtime with the user’s Identity Alias. ## Each user’s credentials must be stored in the connected Secret Store ## under a secret named after that Identity Alias. username_path = "path/to/user/$SDM_USERNAME?key=username" password_path = "path/to/user/$SDM_USERNAME?key=password" tags = { env = "prod" team = "infra" } } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and Manage With SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Language | Reference | GitHub | Examples | | ------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | Go | [pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16) | [strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go) | [Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples) | | Java | [javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/) | [strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java) | [Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples) | | Python | [pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/) | [strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python) | [Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples) | | Ruby | [RubyDoc](https://www.rubydoc.info/gems/strongdm) | [strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby) | [Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples) | | {% endtab %} | | | | | {% endtabs %} | | | | ## Resource properties Configuration properties are visible when you add a **Resource Type** or when you click to view the server's settings. The following table describes the settings available for your RDP (Password) server.
PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredRDP
Proxy ClusterRequiredDefaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
HostnameRequiredIP/DNS address used to connect to the resource from your gateway or relay (for example, windows-server.strongdm.com)
PortOptionalPort on the target server that is listening for RDP connections; default port value 3389
Connectivity ModeRequiredSelect either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization
IP AddressOptionalIf Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port OverrideOptionalIf Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNSOptionalIf Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
Secret StoreOptionalCredential store location; defaults to none (credentials are stored in StrongDM resource configuration)
AuthenticationRequiredSelect Leased Credentials (default) or Identity Aliases
UsernameRequiredEnter the username the relay should utilize to connect to the server via RDP (for example, mydomain\administrator)
PasswordRequiredEnter the password for the provided username
Username (path)RequiredPath to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional).

When using Identity Aliases with Active Directory managed secrets and a secret store, the path must be set in the format path/to/user/$SDM_USERNAME?key=username, with the $SDM_USERNAME variable set as shown. The variable points to the username/password in Active Directory, and it gets replaced by the Identity Alias of the user that is trying to connect. See also Password (path), which must be set in the same way.
Password (path)RequiredPath to the secret in your Secret Store location (for example, path/to/credential?key=optionalKeyName where key argument is optional); required when using a non-StrongDM Secret Store type.

When using Identity Aliases with Active Directory managed secrets and a secret store, the path must be set in the format path/to/user/$SDM_USERNAME?key=password), with the $SDM_USERNAME variable set as shown. The variable points to the username/password in Active Directory, and it gets replaced by the Identity Alias of the user that is trying to connect. See also Username (path), which must be set in the same way.
Downgrade NLA ConnectionsOptionalWhen downgraded, StrongDM cannot verify usernames and passwords for Remote Desktop connections
Resource Lock RequiredRequiredEnables a resource lock, which can lock access the resource to ensure it can only be used by one user at a time; defaults to disabled
Resource TagsOptionalResource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
{% hint style="warning" %} The password cannot be validated by the healthcheck. A green healthcheck for this resource indicates network reachability only. {% endhint %} ## Use Identity Aliases for RDP Password Authentication You can use **Identity Sets** and **Identity Aliases** to authenticate users to RDP (Password) servers with password-based authentication. This allows each user to log in with their own credentials that are securely stored in a connected secret store. To configure Identity Alias authentication for an RDP (Password) server, follow these steps: 1. In the [resource properties](#resource-properties), set **Authentication** to **Identity Aliases**. 2. Choose the **Identity Set** you want to use (for example, `default`). 3. Select your secret store. 4. Set the **username (path)** and **password (path)** to include the `$SDM_USERNAME` variable. The variable is replaced at runtime with the user’s Identity Alias. * **Username (path):** `path/to/user/$SDM_USERNAME?key=username` * **Password (path):** `path/to/user/$SDM_USERNAME?key=password` {% hint style="info" %} In the secret paths, the `?key=username` and `?key=password` parameters are applicable to Active Directory and HashiCorp Vault secrets. For other secrets, those key parameters may be different. {% endhint %} 5. If secrets don't already exist in your Secret Store, create a secret for each Identity Alias, including the fields you are checking for in the resource configuration (for example, `username` and `password`). When a user connects, StrongDM retrieves their credentials from the secret store using their Identity Alias and authenticates to the RDP (Password) server automatically. For more information on supported secret engines and configuration, see [Secrets Management](https://docs.strongdm.com/admin/secrets). ## Windows Network Level Authentication (NLA) Windows NLA is a security protocol used by the Remote Desktop Service. When enabled, it completes additional client-side verifications. Moreover, StrongDM will automatically detect and use Windows NLA if it is enabled. However, some variations of NLA are not supported. For example, you may encounter error messages such as the following in your `sdm.log` file: ```txt cannot extract server's sent public key: failed to handshake tls conn: read tcp4 172.22.64.180:35118->172.22.20.44:3389: read: connection reset by peer" cannot complete server NLA authentication: cannot parse ntlm echo packet: cannot read class byte: remote error: tls: internal error ``` Users may also see similar errors when trying to connect to RDP servers. ### Disable NLA for compatibility with older CLI versions If users of your organization's RDP resource(s) are using a StrongDM CLI version less than 46.60.0 you may need to disable NLA on the RDP server(s). This requires two minor configuration changes to the resource and to your StrongDM organization. 1. On the Windows resource the setting **Require devices to use NLA to connect** needs to be disabled. 2. The StrongDM Support team must then enable a setting for your organization manually. ## Test the Connection 1. In the Admin UI, locate the newly added RDP resource and inspect its Health status — when green, StrongDM’s relay/gateway successfully reached the host. 2. In the StrongDM desktop app or CLI, initiate a connection to the RDP resource. 3. On the Windows host, log in using the configured username, and then check for a successful session (for example, use Task Manager or session logs). 4. Review Windows Event Viewer (under Applications & Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager) to confirm the RDP login event triggered by StrongDM’s node. 5. If the resource remains unhealthy or users cannot connect: * Verify that the hostname/IP and port are correct and reachable from your node. * Confirm the Windows host allows RDP login for the configured user account and that the password is correct. * Check that the Windows host has TLS encryption enabled for RDP (not only native RDP encryption). * Inspect Windows logs and network firewalls for denials or connection resets. * Check if NLA is configured and whether your StrongDM client version supports it. If you encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/servers/rdp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.