diff --git a/client/common/cmdline.c b/client/common/cmdline.c
index cfbdb5aa2..29d964f59 100644
--- a/client/common/cmdline.c
+++ b/client/common/cmdline.c
@@ -125,6 +125,7 @@ COMMAND_LINE_ARGUMENT_A args[] =
 	{ "pcb", COMMAND_LINE_VALUE_REQUIRED, "<blob>", NULL, NULL, -1, NULL, "Preconnection Blob" },
 	{ "pcid", COMMAND_LINE_VALUE_REQUIRED, "<id>", NULL, NULL, -1, NULL, "Preconnection Id" },
 	{ "spn-class", COMMAND_LINE_VALUE_REQUIRED, "<service class>", NULL, NULL, -1, NULL, "SPN authentication service class" },
+	{ "credentials-delegation", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL, "Disable credentials delegation" },
 	{ "vmconnect", COMMAND_LINE_VALUE_OPTIONAL, "<vmid>", NULL, NULL, -1, NULL, "Hyper-V console (use port 2179, disable negotiation)" },
 	{ "authentication", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "authentication (hack!)" },
 	{ "encryption", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "encryption (hack!)" },
@@ -1143,6 +1144,10 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
 		{
 			settings->AuthenticationServiceClass = _strdup(arg->Value);
 		}
+		CommandLineSwitchCase(arg, "credentials-delegation")
+		{
+			settings->DisableCredentialsDelegation = arg->Value ? FALSE : TRUE;
+		}
 		CommandLineSwitchCase(arg, "vmconnect")
 		{
 			settings->ServerPort = 2179;
diff --git a/include/freerdp/settings.h b/include/freerdp/settings.h
index 4ebb1bfa6..daa98623f 100644
--- a/include/freerdp/settings.h
+++ b/include/freerdp/settings.h
@@ -598,6 +598,7 @@ typedef struct _RDPDR_PARALLEL RDPDR_PARALLEL;
 #define FreeRDP_NegotiateSecurityLayer				1096
 #define FreeRDP_RestrictedAdminModeRequired			1097
 #define FreeRDP_AuthenticationServiceClass 			1098
+#define FreeRDP_DisableCredentialsDelegation 			1099
 #define FreeRDP_MstscCookieMode					1152
 #define FreeRDP_CookieMaxLength					1153
 #define FreeRDP_PreconnectionId					1154
@@ -950,7 +951,8 @@ struct rdp_settings
 	ALIGN64 BOOL NegotiateSecurityLayer; /* 1096 */
 	ALIGN64 BOOL RestrictedAdminModeRequired; /* 1097 */
 	ALIGN64 char* AuthenticationServiceClass; /* 1098 */
-	UINT64 padding1152[1152 - 1099]; /* 1099 */
+	ALIGN64 BOOL DisableCredentialsDelegation; /* 1099 */
+	UINT64 padding1152[1152 - 1100]; /* 1100 */
 
 	/* Connection Cookie */
 	ALIGN64 BOOL MstscCookieMode; /* 1152 */
diff --git a/libfreerdp/common/settings.c b/libfreerdp/common/settings.c
index 6ad75ef49..19bf5f784 100644
--- a/libfreerdp/common/settings.c
+++ b/libfreerdp/common/settings.c
@@ -654,6 +654,10 @@ BOOL freerdp_get_param_bool(rdpSettings* settings, int id)
 			return settings->RestrictedAdminModeRequired;
 			break;
 
+		case FreeRDP_DisableCredentialsDelegation:
+			return settings->DisableCredentialsDelegation;
+			break;
+
 		case FreeRDP_MstscCookieMode:
 			return settings->MstscCookieMode;
 			break;
@@ -1122,6 +1126,10 @@ int freerdp_set_param_bool(rdpSettings* settings, int id, BOOL param)
 			settings->RestrictedAdminModeRequired = param;
 			break;
 
+		case FreeRDP_DisableCredentialsDelegation:
+			settings->DisableCredentialsDelegation = param;
+			break;
+
 		case FreeRDP_MstscCookieMode:
 			settings->MstscCookieMode = param;
 			break;
diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c
index f4f45561c..970652d4f 100644
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -123,6 +123,9 @@ int credssp_ntlm_client_init(rdpCredssp* credssp)
 	settings = credssp->settings;
 	instance = (freerdp*) settings->instance;
 
+	if (settings->RestrictedAdminModeRequired)
+		settings->DisableCredentialsDelegation = TRUE;
+
 	if ((!settings->Password) || (!settings->Username)
 			|| (!strlen(settings->Password)) || (!strlen(settings->Username)))
 	{
@@ -998,7 +1001,7 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp)
 	UserLength = credssp->identity.UserLength;
 	PasswordLength = credssp->identity.PasswordLength;
 
-	if (credssp->settings->RestrictedAdminModeRequired)
+	if (credssp->settings->DisableCredentialsDelegation)
 	{
 		credssp->identity.DomainLength = 0;
 		credssp->identity.UserLength = 0;
@@ -1008,10 +1011,10 @@ void credssp_encode_ts_credentials(rdpCredssp* credssp)
 	length = ber_sizeof_sequence(credssp_sizeof_ts_credentials(credssp));
 	sspi_SecBufferAlloc(&credssp->ts_credentials, length);
 
-	s = Stream_New(credssp->ts_credentials.pvBuffer, length);
+	s = Stream_New((BYTE*) credssp->ts_credentials.pvBuffer, length);
 	credssp_write_ts_credentials(credssp, s);
 
-	if (credssp->settings->RestrictedAdminModeRequired)
+	if (credssp->settings->DisableCredentialsDelegation)
 	{
 		credssp->identity.DomainLength = DomainLength;
 		credssp->identity.UserLength = UserLength;
diff --git a/libfreerdp/core/settings.c b/libfreerdp/core/settings.c
index 316d90d42..5db64acdb 100644
--- a/libfreerdp/core/settings.c
+++ b/libfreerdp/core/settings.c
@@ -618,6 +618,7 @@ rdpSettings* freerdp_settings_clone(rdpSettings* settings)
 		_settings->Authentication = settings->Authentication; /* 1092 */
 		_settings->NegotiateSecurityLayer = settings->NegotiateSecurityLayer; /* 1096 */
 		_settings->RestrictedAdminModeRequired = settings->RestrictedAdminModeRequired; /* 1097 */
+		_settings->DisableCredentialsDelegation = settings->DisableCredentialsDelegation; /* 1099 */
 		_settings->MstscCookieMode = settings->MstscCookieMode; /* 1152 */
 		_settings->SendPreconnectionPdu = settings->SendPreconnectionPdu; /* 1156 */
 		_settings->IgnoreCertificate = settings->IgnoreCertificate; /* 1408 */