SSO between Enterprise Client and ECS

Forum / NoMachine Cloud Server Products / SSO between Enterprise Client and ECS

Tagged: 

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • February 28, 2025 at 19:33 #51978
    Steve92
    Participant

    Hello,

    I don’t find many info about how to get SSO between “Enterprise Client” and ECS… 🙁

    “Enterprise Client” is on a Windows 11 PC (without admin rights).

    ECS is on a RHEL9.4 server.

    Authentication is done with a smartcard and a PIN or a user/password pair in an Active Directory.

    ECS is connected to the same AD, I can get a ticket with kinit for my user/password.

    How can I get SSO with this environment ?

    = login to ECS without typing again user/password .

    Any detailed documentation ?

    Thanks!

    Regards,

    Steve.

     

     

    March 4, 2025 at 12:13 #52062
    Guro
    Contributor

    hello

    “Authentication is done with a smartcard and a PIN or a user/password pair in an Active Directory.

    ECS is connected to the same AD, I can get a ticket with kinit for my user/password.”

    We can recommend use kerberos authentication as client and server host in same ad domain.

    You need enable kerberos authentication on server by edit /usr/NX/etc/server.cfg and update keys

    #EnableNXKerberosAuthentication 0

    to

    EnableNXKerberosAuthentication 1

    Please ensure that AD user is correctly seen on server host:

    if commands: id ,  getent passwd | grep , su

    correctly list/switch on user. More details for kerberos authentication are available in https://kb.nomachine.com/DT07S00230

    Thanks

    March 6, 2025 at 18:42 #52131
    Steve92
    Participant

    Hi
    All settings are in Windows 11 registry.(No krk5… Files)
    I suppose I’ve to use ksetup ?

    Thanks
    Steve

    March 12, 2025 at 08:49 #52207
    Steve92
    Participant

    Hi
    Any idea ?

    March 13, 2025 at 08:24 #52234
    Guro
    Contributor

    Hello

    there is no need for krb5 files. If you have kerberos ticket for windows, you can use select prefered library ‘Microsoft SSPI’ and if your user has kerberos ticket after Windows login, then this ticket might be used by NoMachine,

    thanks

    March 14, 2025 at 17:21 #52271
    Steve92
    Participant

    Hi!

    When I  try to connect ECS from Enterprise Client with Kerberos MS SSPI, I get this error in session log.

    What could be the prob’ ?

    Thanks,

    Steve.

    —–

    sspi_init_sec_context_test: Authentication mechanism ‘Kerberos’ is not supported.

    ssh_sspi_error: The target was not recognized.

    ssh_sspi_error: The requested security package does not exist.

    ssh_sspi_error: The requested security package does not exist.

    ssh_sspi_indicate_mech: ERROR! No more mechanisms.

    12612 14116 17:08:09 620 NXGssapiPrepareMech: ERROR! Cannot indicate mech.

    ialized session at 0x0000000003cf10a0.

    12128 5448 2025-03-14 17:07:43 513.591 ClientSession: Starting session at 0x0000000003cf10a0.

    12128 5448 2025-03-14 17:07:43 515.416 ClientSession: Going to start session ‘C:\Users\xyz\Documents\NoMachine\ECS RIE KERB.nxs’.

    12128 5448 2025-03-14 17:07:43 532.196 Connection: Initializing connection at 0x0000000007786370.

    12128 5448 2025-03-14 17:07:43 537.183 Connection: Initialized connection at 0x0000000007786370.

    12128 5448 2025-03-14 17:07:43 537.183 Connection: Starting connection at 0x0000000007786370.

    12128 5448 2025-03-14 17:07:43 537.183 ClientDaemonConnector: Starting a new connection to host ‘w.x.y.z’ on port ‘4000’.

    12128 5448 2025-03-14 17:07:43 538.672 Connection: Started connection at 0x0000000007786370.

    12128 5448 2025-03-14 17:07:43 538.672 ClientSession: Started session at 0x0000000003cf10a0.

    Info: Slave server running with pid 16608.

    Info: Listening to slave connections on port 35299.

    Info: Connection to w.x.y.z port 4000 started at 17:07:43 553.232.

    12128 5448 2025-03-14 17:07:43 555.304 Main: Entering the GUI event loop.

    12128 14132 2025-03-14 17:07:44 841.855 ClientSession: A valid certificate for this server was found.

    12128 14132 2025-03-14 17:08:09 620.348 DaemonLogin/DaemonLogin: ERROR! Gss oid not specified.

    Error: Gss oid not specified.

    12128 19952 2025-03-14 17:08:09 623.362 DaemonClientApplication/DaemonClientApplication: WARNING! Session terminated abnormally.

    12128 19952 2025-03-14 17:08:09 623.362 DaemonClientApplication/DaemonClientApplication: WARNING! Error is 22, ‘Invalid argument’.

    Warning: Connection to w.x.y.z port 4000 failed at 17:08:09 623.362.

    Warning: Error is 22, ‘Invalid argument’.

    12128 5448 2025-03-14 17:08:09 624.553 Connection: Connection at 0x0000000007786370 failed.

    12128 5448 2025-03-14 17:08:09 624.553 ClientSession: Runnable at 0x0000000007786370 caused the session at 0x0000000003cf10a0 to fail.

    12128 5448 2025-03-14 17:08:09 624.553 ClientSession: Failing reason is ‘Impossible de se connecter au serveur.

    L’erreur est 22 : Argument non valable’.

    12128 5448 2025-03-14 17:08:09 636.440 ClientSession: Stopping session at 0x0000000003cf10a0.

    12128 5448 2025-03-14 17:08:09 659.110 ClientSession: Destroying display client.

     

    March 19, 2025 at 21:05 #52358
    Guro
    Contributor

    Hello
    please send server and client side logs of kerberos errors to as for more detailed test.

    Usually problems relate to correct configuration. as alternate you can try use ssh connection protocol,

    please don’t forget enable EnableNXKerberosAuthentication 1, on server configure file.

    As you also have smartcard/PIN authentication, you also can extract public key from smartcard and register on server side as authorized_keys. for more details might be in:

    https://kb.nomachine.com/DT11R00187

    Thanks

  • Author
    Posts
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Please login .