Active Directory authentication


Active Directory authentication


Nexthink supports the authentication of users via Active Directory services. Microsoft Active Directory (AD) is currently used as the authoritative user directory in a vast number of organizations, controlling the authentication and the access rights of users.

The benefits of integrating Nexthink with the AD services include the following:

  • Users need only one login and password (no need for a dedicated Nexthink account).
  • Administrators can take advantage of the password policy defined in AD.

For a better user experience, Nexthink recommends to combine AD authentication with Windows authentication, so that users can log in to Nexthink without having to retype their Windows credentials.

How authentication via AD works

To enable AD authentication in Nexthink, provide the user logon in the form [email protected] when creating their account in Nexthink. Make sure that the AD account exists before adding it to Nexthink.

The user logon must be composed of the sAMAccountName of the user, followed by the domain or realm; both separated by the @ character. Note that the previous Windows logon format DOMAIN\username is not supported. Note as well that if a user got a User Principal Name (UPN) whose user logon name is different from the sAMAccountName, you still need to use the sAMAccountName when manually configuring the user's Nexthink account; otherwise, AD authentication will not work.

For example, if the sAMAccountName of user John Wick is jwick and he got assigned the user logon name (UPN prefix) john.wick, configure his Nexthink account with the first logon only:

Beware that the account name part of the UPN is case sensitive. Thus, specify exactly the same name in Nexthink as it is registered in the AD, respecting the case. Nexthink uses the suffix part to resolve the name of the AD server ( in the example above), also known as the domain controller.

Once added to Nexthink, users can log in to the Finder or the Portal using their AD accounts. During Finder login, the AD credentials provided by the user are forwarded to the Portal back-end using an encrypted channel. In the case of Portal login, the browser itself sends the AD credentials provided by the user to the Portal back-end. The Portal back-end is then responsible for contacting the AD server to authenticate the user.


Requirements for AD authentication

Allowed characters in user names

Use only printable characters in user names. The space and the following symbols are not allowed inside a user name:


Alternate UPN suffixes

Since Nexthink uses the UPN suffix to resolve the name of the AD server, you must use fully qualified domain names in the UPN of users. Alternate UPN suffixes defined by administrators do not work.

For instance, if the fully qualified domain name of a department inside a company is, an administrator may create an alternate UPN suffix that is easier to memorize and quicker to type. A user in that department may thus log in to Windows using either:

However, the user cannot log in to the Finder or the Portal using the shorter UPN suffix. Neither the Engine nor the Portal know about alternate UPN suffixes. You must use the fully qualified domain name version as user account in Nexthink.

To know the full name of a user that is logged in to Windows, open the Finder and tick the box Use Windows authentication in the login dialog. The retrieved user name is the actual full name of the user: SSO-Finder.png

Connectivity with AD server

For the Portal to be able to connect with the AD server, the appropriate ports must be open in the appliances on which they run.

  • UDP 53 for DNS.
  • TCP 389 and TCP 636 for non-secure and secure LDAP connections to the AD server.

Time synchronization

Because of the technique used for authenticating users, the Portal must be synchronized with the clock of the AD server. The configuration of the AD server may nevertheless specify a tolerance regarding clock discrepancy. A difference of at most 5 minutes is generally accepted by default.

Encryption methods

Nexthink supports the following encryption methods:

  • AES (128 bits)
  • RC4-HMAC

On the other hand, DES encryption (legacy for Windows 98) is not supported.

Finder session saving

The Finder allows to save sessions and user credentials. This applies to AD credentials as well. If the user chooses to additionally save the password, then the Finder stores only a hash of the password for security reasons.

Related references