Skip to main content
Skip table of contents

Canonical domain names for Windows authentication


Thanks to Windows authentication (SSO), Nexthink users can conveniently log in either to the Portal or to the Finder without the need to type in their credentials each time.

When configuring Windows authentication for Nexthink, ensure that you set the canonical name of your domain (and not an alias) as the Service Principal Name which associates the service instance to the service logon account of Nexthink (nxtPortalSSO). Failing to do so results in users not able to log in through Windows authentication.

DNS zones and resource records

DNS zones map domain names to IP addresses and other resources. Each resource record in a DNS zone defines a single mapping. We focus our attention on two types of records:

  • Type A records, which map a domain name to an IP address.

  • Type CNAME records, which define a domain name that is an alias for another domain name (the canonical name).

Let us consider an example of a DNS zone with two resource records. It is a Forward Lookup Zone whose name is, which is the suffix of all the hosts in the zone. The DNS snap-in of the Administrative Tools of Windows Server shows the resource records as follows:





Host (A)


Alias (CNAME)

The first resource record in the zone, portal, is a record of type A. The record maps the name to the IP address If this host provides the authentication service, is the canonical name that you must set as Service Principal Name to properly configure Windows authentication for Nexthink.

The second resource record in the zone, myportal, is a record of type CNAME. The record defines an alias for that is called While the alias myportal can replace the canonical name portal in many contexts, it is not suitable for configuring Windows authentication in Nexthink.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.