Logging in to the Finder

To start working with the Finder, authenticate first as a valid user. Take advantage of single sign-on solutions if your administrator has enabled either SAML authentication or Windows authentication of users. Otherwise, if plain authentication via Active Directory is available in your setup, log in with your Windows credentials. Alternatively, if no external authentication mechanism is available, use the credentials of your own dedicated Nexthink account.

The login process starts by connecting the Finder to the Portal. From the Portal, the Finder retrieves first the list of available Engines within your view domain and finally connects to the Engine of your choice. Once connected, the Finder has access to the data stored both in the Engine and in the centralized content manager of the Portal; letting you visualize, organize, and query end-user data in a variety of ways.

Multi-factor authentication for local accounts overview

Multi-factor authentication (MFA) adds an extra layer of security to your Nexthink tenant by requiring local users to provide multiple forms of identification before granting access.

MFA includes the following components:

• Something the user knows, such as a password.

• A Time-Based One-Time Password (TOTP) that is generated by an application, such as Google Authenticator or Microsoft Authenticator.

The user must use both components during login.

Enable MFA to significantly enhance protection against unauthorized access, data breaches and identity theft. Use MFA to reduce the risk of credential theft, phishing attacks and brute force attacks, to safeguard user accounts and sensitive information on your platform. Overall, MFA is a crucial security feature that reinforces the integrity of your Nexthink tenant and ensures a safer user experience.

Configure MFA

Authenticator application is still available

Perform the following steps to reconfigure MFA when you still have access to the old authenticator application. For example, to transfer MFA from an existing mobile device to a new one.

1. Access the standard local login page.

2. Enter your username and password in the relevant fields.

3. Optional step. Select the Remember me checkbox to automatically fill in your username during the next login.

4. Select Sign in.

5. Enter the code provided by your original authenticator application.

6. Select Edit existing MFA setup.

7. Scan the QR code with your new authenticator application.

8. Enter the code provided by your new authenticator application.

9. Select Continue.

10. Select Finish when the code is validated and the setup is complete.

Authenticator application is unavailable

You can reconfigure MFA when you do not have access to the old authenticator application, for example, the mobile device is lost. In this case, contact your Nexthink administrator to run the following script; replace with your actual username, for example, admin:

/var/nexthink/portal/rsquery/resetMFA.py --resetmfa <username>

MFA is not set up for the currently active account

1. Install an authenticator application on your mobile device or on a computer that supports TOTPs, for example, Google Authenticator, Microsoft Authenticator, 1Password and so on.

2. Scan the QR code with your authenticator application.

3. Enter the code provided by your authenticator application.

4. Select Continue.

5. Select Finish when the code is validated and the setup is complete.

You can skip this procedure three times.

MFA is already set up for the currently active account

1. Enter the code provided by your authenticator application.

2. Select Sign in.

Quick connect

When you run the Finder for the first time, the login dialog appears in Quick connect mode, as indicated by its title at the top left corner of the dialog. Quick connect mode lets you specify all the necessary credentials to connect to any Portal. To log in to the Finder in Quick connect mode:

1. Fill in the Host : Port field with the DNS name or IP address of the Portal to which you want to connect, optionally followed by a colon and the port number where the Portal is listening for connections (by default, 443).

2. Depending on the authentication mechanisms available, choose one of the following:

   • If your administrator has enabled either SAML or Windows authentication of users, tick the box Use single sign-on.

   • If only internal or plain Active Directory authentication are available, enter your credentials manually:

     1. Type in your Username, which is the name of the user as registered in the Portal.

     2. Type in your Password.

3. Optional: Check the option Remember me to have the Host : Port and Username fields prefilled with the same data that you just typed the next time that you log in to the Finder from the same computer. The next login, you will just have to retype your password (if not externally managed).

4. Optional: Check the option Sign me in automatically for the login dialog to remember your password as well and skip the login step altogether the next time that you run the Finder from the same computer. Checking this option implies that the previous Remember me option is also checked. Administrators can disable this option.

5. Click Connect.

   • If SAML authentication is enabled and you have not logged in to your corporate account yet, the Finder will open your corporate login page on your default web browser. Log in with your corporate account as usual.

   • If the account is local and MFA is enabled on your appliance, the Finder will open the portal MFA login page on your default web browser. Enter the code provided by your authenticator application (or configure MFA if not already done).

   • Read also the Use MFA for local accounts section in the document Multi-factor authentication for local accounts overview on setting up MFA.

6. If more than one Engine within your view domain is available in the Portal, a list with all connected Engines shows up in the dialog Engine selection:

   • Click the name of an Engine to connect to it.

   • Click the star to the right of the name of an Engine to make that Engine your favorite. The next time that you log in to the Finder from the same computer, the step to select the Engine is skipped and you connect directly to your favorite Engine. You can later change your favorite Engine once you have logged in.

If the Finder cannot connect to the Portal or to the selected Engine, it aborts the login process and displays an error message with the reason for the failure. For warnings related to security certificates during the connection, see the section on certificate issues below.

Creating a session

In a multi-user or multi-Appliance environment (for example, an environment with test and production Appliances), you may have to log in to the Finder with distinct user accounts and connect to different Appliances from a single post. In these cases, to save you from typing the credentials every time that you have to log in to a different Appliance, store the credentials for distinct users and associated Appliances into sessions. Later, log in to the Finder faster by accessing your stored sessions.

To create a new session in the login dialog:

1. Click the +New button found at the top right corner of the login dialog. The login dialog turns into session creation mode, copying the information that you typed previously in Quick connect mode, if any, or from a previously selected session into the fields Host : Port and Username of the new session. Note that sessions do not store passwords by default. You can later specify to remember your password if you frequently use the same session.

2. Type in the DNS name or IP address of the Portal appliance, followed by a colon and the port number where the Portal is listening for connections in the field Host : Port. You can keep the copied value, if any.

3. Type in the name of the user to store in the session in the field Username. Again, you can keep the copied value, if the name of the user is not empty.

4. Optional: Change the name of the session that is displayed at the top of the dialog by clicking on it and typing an alternative name. By default, the name of the session is built from the name of the user and the Portal appliance in the form: Username on Host : Port.

5. Optional: If the system supports either SAML or Windows authentication, tick the box Use single sign-on and the Finder will let the external authentication mechanism manage the username and password. When using SAML or Windows authentication, specify a proper DNS name for the Portal (not an IP address) under Host:Port.

6. Click Create to save the session. The login dialog switches now to session mode.

Note that sessions are created locally in your instance of the Finder. Therefore, the sessions that you create in one computer are not automatically available when you try to log in to the Finder from another computer.

Using a session to log in

Once you have created one or more sessions, you can use them to quickly log in to different Engines. You only have to select the appropriate session and, eventually, enter your password. To log in from a saved session from the login dialog:

1. Click the down arrow in the top left tab of the login dialog, to the right of its title. A drop down list appears with the names of the saved sessions and the Quick connect option at the top.

2. Select one of the saved sessions. The user and Engine information stored in the session are displayed in the dialog. If you select Quick connect instead, you go back to Quick connect mode. Read the previous section on using the login dialog in Quick connect mode.

3. Type in your password, if needed (not needed if you previously told the Finder to remember or if using SAML or Windows authentication).

4. Optional: To store your password with the session information, check the option Remember password.

5. Optional: Check the option Sign me automatically to skip the login step altogether and start the connection to the Engine of the selected session as soon as you open the Finder. This option requires the Remember password option to be checked.

6. Click Connect or press Enter and the Finder starts to establish a connection to the chosen Portal.

7. If more than one Engine within your view domain is available in the Portal, a list with all connected Engines shows up in the dialog Engine selection:

   • Click the name of an Engine to connect to it.

   • Click the star to the right of the name of an Engine to make that Engine your favorite. The next time that you log in to the Finder from the same computer, the step to select the Engine is skipped and you connect directly to your favorite Engine. You can later change your favorite Engine once you have logged in.

If the Finder cannot connect to the Portal or to the selected Engine, it aborts the login process and displays an error message with the reason for the failure. For warnings related to security certificates during the connection, see the section on certificate issues below.

Editing a session

If one of your saved sessions has wrong data or there was a change in user or Appliance settings, you may want to edit the session. To edit the values stored in a session:

1. Click the down arrow placed in the top left tab of the login dialog (to the right of the title) and select the session that you want to edit from the drop down list.

2. Click the Edit button that you find at the top right corner of the login dialog. You enter session edition mode.

3. Edit the fields Username, Host : Port and the name of the session in the same way as you did when creating the session (see previous section).

4. Click Save to save your changes and go back to session mode.

Deleting a session

When you do not need a session anymore, remove it from your list of sessions. To delete a session from the login dialog:

1. Click the down arrow placed in the top left tab of the login dialog (to the right of the title) and select the session that you want to delete from the drop down list.

2. Click the Delete button that you find at the top right corner of the login dialog. A dialog appears asking you for confirmation on deleting the session.

3. Click Yes to confirm that you really want to delete the session. The login dialog removes the session from the list and goes back to Quick connect mode.

Certificate issues

While connecting to the Portal or to the Engine of your choice, the Finder may display a warning message about security certificates on a dialog with the title:

There is a problem with the Portal / Engine security certificate

Security certificates ensure that the connections among Nexthink components are safe. A problem with the certificates implies that there is a potential risk of impersonation. In particular, if you use the default self-signed certificates from Nexthink (or any other certificate not signed by a trusted CA), you can read the following message in the dialog:

The security certificate of Nexthink Portal / Engine could not be validated.

If you are testing the solution or you are sure that the certificate is correct:

1. Optional: Click Show certificate to display detailed information about the current certificate.

2. Optional: Tick the option Do not notify me again for this certificate if you want to accept the current certificate as valid and avoid the warning in subsequent logons.

3. Click Continue anyway to go on with the login process despite the warning message.

Otherwise, contact your administrator for replacing the certificates. Log in only after your administrator has finished installing the new security certificates.

RELATED TASKS

• Adding users

• Enabling Windows authentication of users

• Enabling SAML authentication of users

• Preventing password saving in the Finder

• Importing and replacing Certificates

RELATED REFERENCE

• Active Directory authentication