Enabling Windows authentication of users

Overview

Windows authentication lets Nexthink users comfortably log in to both the Portal and the Finder by securely using their Windows logon information, without requiring the users to type in their credentials again (single sign-on).

For Windows authentication to work, the following prerequisites must be fulfilled:

  • The Portal must have a proper external DNS name (not an IP address as name).

  • The user must have been created in Nexthink as an Active Directory user.

  • Multiple domain configurations are supported.

  • The domain controller must run one of the following operating systems:

    • Windows Server 2019 and Windows Server, version 1809

    • Windows Server 2016 and Windows Server, version 1709

    • Windows Server 2012 R2

    • Windows Server 2008 R2

The example configuration in this article is provided for illustration purposes only. For more information on Active Directory and the command-line tools to configure it, please consult Microsoft documentation or contact Microsoft support.

The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.

If you need help or assistance, please contact your Nexthink Certified Partner.

Domain configuration

To let the Portal connect to your domain controller and perform the authentication of users, you require:

  • A dedicated user account in Active Directory for the Portal.

  • A Service Principal Name.

  • The generation of a keytab file.

The Portal also acts on behalf of the Finder to perform Windows authentication; therefore, there is no need of additional configuration for the Finder. As enabling technology, the Portal makes use of Kerberos-based authentication.

For the sake of example, let us imagine that you want to enable Windows authentication within the following setup:

  • Domain name: example.com

  • External DNS name of the Portal: portal.example.com

  • Name of the Portal account in AD: nxtPortalSso

  • Password of the Portal account in AD: userPassword

Whenever any of these elements appears in the following instructions, substitute them for your own data. Pay attention to the letter case of the commands and names given in the instructions. Failing to respect the case will result in a misconfiguration of the service. For example, if the domain name is displayed as EXAMPLE.COM in the instructions, replace it by your own domain name in upper case.

To configure the domain controller:

  1. Log in to the domain controller as administrator.

  2. Click Start > Administrative Tools > Active Directory Users and Computers.

  3. Click the node of your domain (example.com).

  4. In the details pane, right-click the OU or CN in which to create the user account for the Portal.

  5. Select New > User from the context menu.

  6. In User logon name, type in nxtPortalSso. Fill in the other fields with values that let you easily identify the account as belonging to the Portal (their exact value is irrelevant).

  7. Click Next.

  8. In New Object - User, type userPassword in both the Password and Confirm password fields and set the following password properties:

    • User cannot change the password - true.

    • Password never expires - true.

  9. Click Next.

  10. In the Account tab of the user properties, set the following option:

    • This account supports Kerberos AES 256 bit encryption - true.

  11. Click Finish.

  12. Open a command line window.

  13. As the Service Principal Name (SPN), use the canonical host name of the Portal (DNS A record) and not an alias (or CNAME record). To create a new SPN, type in: setspn -S HTTP/portal.example.com nxtPortalSso

  14. To generate the keytab file, type in: ktpass -out .\nxtportal.keytab -princ HTTP/portal.example.com@EXAMPLE.COM -mapUser nxtPortalSso@EXAMPLE.COM -mapOp set -pass userPassword -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL

Portal configuration

To enable Windows authentication in the Portal:

  1. Log in to the CLI of the Appliance hosting the Portal.

  2. Optional: If the Portal has no configuration file yet, that is, if portal.conf does not exist in folder /var/nexthink/portal/conf, create it by copying the defaults from the sample configuration file: sudo -u nxportal cp /var/nexthink/portal/conf/portal.conf.sample \ /var/nexthink/portal/conf/portal.conf

  3. Edit the configuration file of the Portal: sudo vi /var/nexthink/portal/conf/portal.conf

  4. Add the following lines in the Portal configuration file (again, pay attention to the letter case of the configuration settings): globalconfig.sso.enabled = true globalconfig.sso.realm = "EXAMPLE.COM" globalconfig.sso.service-name = "portal.example.com"

  5. In case of a multi-domain Active Directory, the following line should also be added (optional for single domain): globalconfig.sso.accepted-realms="EXAMPLE.COM,CHILD.EXAMPLE.LOCAL"

    • The domains are listed and separated by a comma.

    • Domain names cannot contain a comma.

    • Pay attention to the letter case of the configuration settings.

  6. Save your changes and exit by typing: :wq

  7. Copy the keytab file generated in the previous section to the Portal:

    1. Use your favorite SCP tool to copy the file nxtportal.keytab to the home directory of the nexthink account in the Portal.

    2. Log in to the CLI of the Portal and type in: sudo chown nxportal:nexthink nxtportal.keytabsudo chmod 600 nxtportal.keytabsudo mv nxtportal.keytab /var/nexthink/portal/conf/sso

  8. Restart the Portal: sudo systemctl restart nxportal

Browser configuration

To connect to the Portal using Windows authentication, the web browser must trust the URL of the Portal. According to your specific supported browser, follow one of the configuration instructions below.

Internet Explorer or Chrome

  1. Open the Control Panel.

  2. In the Network and Internet category, select Internet Options (or just click Internet options if you have a list view without categories).

  3. In the Security tab, select Local intranet.

    1. Click the Sites button.

    2. At the bottom of the dialog, click Advanced.

    3. Under Add this website to the zone:, type in the DNS name of the Portal: portal.example.com.

    4. Click Add and then Close.

  4. In the Advanced tab, scroll the Settings list.

    1. Under the Security section, tick the box Enable Integrated Windows Authentication*.

  5. Click OK.

If you do not have permissions to modify these options, contact your system administrator. Note that you need to restart the computer for the changes to take effect.

Firefox

  1. Open Firefox.

  2. In the address bar, type in about:config.

  3. Click the button at the bottom of the warning message to accept the risk of changing the configuration settings.

  4. In the Search box, look for the setting network.negotiate-auth.trusted-uris.

  5. Double-click the name of the property in the results of the search to change its value.

  6. Enter the DNS name of the Portal: portal.example.com.

  7. Click OK.


RELATED TASKS

RELATED REFERENCES

Last updated