Skip to main content
Skip table of contents

Configuring single sign-on

These instructions discuss how to configure single sign-on authentication for NexJ applications.

Authentication is a security process which involves identifying and verifying the credentials of users attempting to access a protected resource. NexJ Model Engine uses Windows Authentication and the SPNEGO negotiation mechanism to securely authenticate users and determine their level of authorization. If Windows Authentication is not an option, Java Kerberos can be used as an alternative.

Single sign-on is a form of access control which uses one set of credentials for multiple applications. It consolidates and streamlines authentication procedures for users and provides administrators with efficient management solutions. Once a user has been authenticated, they are able to access other enterprise applications without having to again log in until their session has expired.


Kerberos authentication is an alternative to native Windows Authentication. Only one method of single sign-on authentication can be set up. It is recommended to use Windows Authentication when possible.

The following steps are required to configure single sign-on authentication:

  1. Create a Windows domain user for the AppServer service.
  2. Run the AppServer service under the domain account.
  3. Create a user domain group for NexJ applications.
  4. Install the SetSPN utility on a domain controller.
  5. Create Kerberos service principal names.
  6. Configure IIS for Kerberos authentication.
  7. Configure native Windows Authentication. (Native Windows Authentication only)
  8. Configure Kerberos for SPNEGO. (Java Kerberos authentication only)
  9. Configure logins.
  10. Enable SPNEGO authentication.
  11. Configure client browsers.

Single sign-on prerequisites

You need to use the following information throughout the single sign-on configuration process:

The full name and extension of the Windows domain to which the users of the NexJ application belong. For example, yourcompany.local.

The directory where NexJ Studio is located. For example, C:\Java\eclipse\plugins\com.nexjsystems.nexjstudio_version.

The root directory of the application server.


To get the value of DOMAIN.EXT, open the System Properties dialog for the machine on which the Windows server is running. Click on the Computer Name tab. The full computer name and domain are displayed.

Ensure that the following components have been properly set up:

  • A supported version of Microsoft Windows Server running the Active Directory Domain Controller and associated Kerberos Key Distribution Center (KDC). For more information on supported platforms, see the relevant version of the Release Notes document for your product.
  • Client computers with Internet browsers that support the SPNEGO authentication mechanism. Refer to the release notes for the list of supported Internet browsers

Creating a Windows domain user for the AppServer service

Using the Active Directory Microsoft Management Console, create a special Windows service user to run application server processes.

To create a new Windows service user for the AppServer service:

  1. Open the Active Directory Microsoft Management Console.
  2. Open DOMAIN.EXT.
  3. Right-click the Users folder and select New → User to create a new user. Fill in the New User dialog and click Next.


    Any valid login name may be used. For example, nexjsvr.

  4. Set a password. Uncheck User must change password and check Password never expires.
  5. If prompted, disable Create an Exchange mailbox. The user should not have an email address.
  6. Click Finish to create the new account.
  7. Add this user to the "Domain Users" group. Ensure the user does not belong to any other groups.
  8. Provide this user with the authorization to make read requests to the Active Directory, including the names and properties of users that exist on the domain.

The new service user has been created.

Running the AppServer service under the domain account

For single sign-on to work, the AppServer service must run under the domain account.

To configure the AppServer service:

  1. Start the Windows Services Microsoft Management Console snap-in from Control Panel → Administration Tools → Services or type services.msc at a command prompt.
  2. Navigate to the application server service that was specified during installation. If the default name was used, it would be modeld.
  3. Edit the service by right-clicking it and selecting Properties. Set the login account in the Log On tab to the Windows domain user login ID and password.

Your AppServer service will now run under the domain account.

Creating a user domain group for NexJ applications

For single sign-on to work, NexJ application users must be added to a new domain group. The new group must be created in the same domain as the NexJ application users themselves.

Domain groups provide a single point of administrative control to deny access from unauthorized users. After a user has been authenticated, the application verifies if they have been granted access to the NexJ application based on their domain group affiliation. If the user is a member of a domain group (for example, nexjusers), then they proceed to access the protected application. If they do not belong to a domain group, they are denied access.


The default group is nexjusers. You can use a different group name by specifying the name in the authGroup security property in your environment file. For example, if you want to use a group called samplegroup, open your environment file in NexJ Studio and edit the authgroup property to specify samplegroup.

To create a domain group for NexJ application users:

  1. Open the Active Directory Microsoft Management Console.
  2. Right-click on the Domain icon and choose New → Group to create a new group.
  3. In the New Group dialog, set the group name to nexjusers (one word, all lower-case).
  4. If prompted, disable Create Exchange Mailbox.
  5. Click Finish.
  6. Add all NexJ application users as members of the group.

Your new domain group has been created and NexJ application users have been added.

Installing the SetSPN utility on a domain controller

The setspn.exe tool is used to create service principal names which are used in the Kerberos authentication process. It authorizes a Windows domain user to make authentication requests to the Active Directory Domain Controller on behalf of a service.

The setspn.exe utility is part of the Windows Support Tools package. These tools are available from the Microsoft website or the Windows Server Install CD. On the install CD, the Suptools.msi file can be found in the Support\Tools\ directory.

After installing the setspn.exe tool, execute it on the domain controller within DOMAIN.EXT. This will allow the service user (in this example, nexjsvr) to make authentication requests to the Active Directory Domain Controller on behalf of the NexJ application.

Creating Kerberos service principal names

Kerberos service principal names are created using the setspn.exe tool in the Windows Support Tools package.


Kerberos service principal names are required for single sign-on using both Windows Authentication and Java Kerberos. Both methods of single sign-on authentication require these steps.

To allow the application server to accept Kerberos authentication requests:

  1. Log into the domain controller where the Windows Support Tools are installed.
  2. Open the Command Prompt.
  3. Run the following command in the Command Prompt:
    setspn -a HTTP/<host.domain.ext> <DOMAIN.EXT>\nexjsvr


    host.domain.ext is the canonical DNS name of the application server host and DOMAIN.EXT is the Kerberos realm, corresponding to the Active Directory domain name. Domain names are case-sensitive: host.domain.ext must be in lowercase and DOMAIN.EXT must be in uppercase.


    The principal names for the account can also be viewed and modified using the adsiedit.msc MMC snap-in (attribute servicePrincipalName, available in the object Property pages).

  4. Confirm the service principal name has been successfully added by running the following command in the Command Prompt:
    setspn –L DOMAIN.EXT\nexjsvr

  5. If multiple clusters with separate HTTP redirectors are set up on the same domain, map all HTTP redirector SPNs to nexjsvr.

  6. Make sure no other user or computer has the same SPN value. Use setspn -l DOMAIN.EXT\user to view
    SPNs for a given user, and setspn -l host to view SPN for a given computer. If the same SPN is mapped
    to another user or computer, it can be deleted using one of the following commands:

    setspn -d HTTP/host.domain.ext DOMAIN.EXT\user 
    setspn -d HTTP/host.domain.ext computer

Your application server will now be able to receive and process Kerberos authentication requests.

Configuring IIS for Kerberos authentication

When IIS is installed, it creates two Kerberos service principal names for itself. These principal names will conflict with the newly created service principal name for <DOMAIN.EXT\nexjsvr>. They must be deleted for single sign-on authentication to work with native Windows Authentication or Java Kerberos.


These instructions assume that IIS is running on the <host.domain.ext> machine.

These instructions assume that IIS is running on the host.domain.ext machine.

To remove the conflicting IIS Kerberos service principal names:

  1. Log into the domain controller where Windows Support Tools are installed.
  2. Open the Command Prompt.
  3. Run the following command in the Command Prompt:
    setspn -d HTTP/<host.domain.ext> <host>
  4. Run the following command in the Command Prompt:
    setspn -d HTTP/<host> <host>


    Removing the conflicting Kerberos service principal names will conflict with SPNEGO authentication for any existing services being provided by IIS that already use SPNEGO, including the HTTP redirector. The application pools in IIS that have to use Kerberos authentication (including the one with the redirector) must be modified to run under the NexJ service user (in this example, nexjsvr). This user should be made a member of the IIS_WPG user group.

The conflicting IIS Kerberos service principal names are now removed. Kerberos service principal names will now be compatible with Windows Authentication or Java Kerberos single sign-on.

Configuring native Windows Authentication (Windows only)

Configuring native Windows Authentication on the application server allows users to access protected resources using their local login credentials.

If the application server is using a Windows operating system and authenticating with Active Directory, it is recommended to use the NexJ native library for SPNEGO authentication. This library (nexjauth.dll) uses Windows APIs to authenticate users.


The application server cannot be running while completing these steps.

To configure the NexJ native SPNEGO authentication library:

  1. Navigate to %NEXJ_PLUGIN%\lib\win32 using Windows Explorer.
  2. Copy nexjauth.dll.
  3. Navigate to %JAVA_HOME%\jre\bin and paste the file.

The SPNEGO authentication library has been configured to work with the NexJ Model Engine using native Windows Authentication.

Configuring Kerberos for SPNEGO (Java Kerberos only)

Kerberos authentication for SPNEGO is an alternative to configuring single sign-on using native Windows Authentication. Kerberos should only be configured if using Windows Authentication is not an option.

Configuring Kerberos for SPNEGO involves:

  • Creating a krb5.conf file to configure information for the Java GSSAuthenticator. This locates the Kerberos domain controller.
  • Creating and initalizing the krb5.keytab file. This file contains information needed by the GSSAuthenticator to validate the authenticity of communications from the Kerberos domain controller.
  • Invoking the kinit tool. This program initiates a session between the service principal (in this example, nexjsvr) and the Kerberos domain controller, allowing the Kerberos domain controller to trust requests from the application.

To configure Kerberos for SPNEGO:

  1. Create the directory SERVER_HOME on your application server machine.
  2. Run the ktab command in %SERVER_HOME%\spnego to create a keytab file with the server's service principal name and service user (e.g. nexjsvr) password:
    ktab -a HTTP/<appServerHost.domain.ext> -k %SERVER_HOME%\spnego\krb5.keytab


    Ensure that the path %SERVER_HOME%\spnego\krb5.keytab has no spaces. If it does, copy krb5.keytab to a directory without spaces and adjust the entered path in these instructions accordingly.

  3. Verify that the keytab works by creating a temporary entry:
    ktab -a user@DOMAIN.EXT -k %SERVER_HOME%\spnego\krb5.keytab
  4. View the keytab file to verify entries using the command:
    ktab -l

  5. Issue a kinit command:
    kinit -k -t krb5.keytab nexjsvr@<DOMAIN.EXT>

  6. Remove the temporary entry you created in step 3 by running the following command:
    ktab -d user@<DOMAIN.EXT>

  7. Create the Kerberos configuration file %JAVA_HOME%\lib\security\krb5.config, with the following content:

            default_realm = <DOMAIN.EXT> 
            default_keytab_name = FILE:%SERVER_HOME%\spnego\krb5.keytab 
            default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5 
            <DOMAIN.EXT> = { 
                    kdc = <kdc_host.domain.ext:88> 
            <.domain.ext> = <DOMAIN.EXT>


    Domain names are case-sensitive. All <DOMAIN.EXT> values must be capitalized in the configuration.

    The following is an example Kerberos configuration file:

            default_realm = NEXJSYSTEMS.LOCAL 
            default_keytab_name = FILE:C:\java\modeld\spnego 
            default_tkt_enctypes = rc4-hmac des-cbc-md5 
            default_tgs_enctypes = rc4-hmac des-cbc-md5 
            NEXJSYSTEMS.LOCAL = { 
                    kdc = nexj-prd-1.nexjsystems.local:88 
            .yourcompany.local = YOURCOMPANY.LOCAL 

Kerberos is now configured to work with the SPNEGO negotiation mechanism.

Configuring user logins for single sign-on

When a user is logging into a NexJ application, the credentials of the current desktop session are sent to the application server.

For single sign-on to work, the domain that the user is logged into must have the same name as the Authentication Domain parameter in the SPNEGO configuration for the application server.

Alternatively, the user login name must match the principal name format of username@DOMAIN.EXT, for example, jsmith@YOURCOMPANY.LOCAL. When creating users in the application server, you must also create login names that match the principal name format of username@DOMAIN.EXT.


The domain name and extension must be in upper case.

Using basic authentication to configure logins

For single sign-on authentication to work, all NexJ application users must have login IDs that match the Kerberos service principal name format.

To change user login IDs to match the Kerberos service principal name format:

  1. Log into NexJ Admin Console using the default account.
  2. In the menu bar, click the User button. The User screen opens in the middle column.
  3. Click Users to retrieve a list of all NexJ users.
  4. Select the nexjsa account.
  5. Use the Edit button
    in the right column to open the Edit Local User dialog.
  6. Change the Login value to match the Kerberos service principal name format (for example, nexjsa@YOURCOMPANY.LOCAL).
  7. Click OK.
  8. Set at least one user account to that of a real domain user. Provide this account with Administrator privileges.
  9. Save your changes and close NexJ Admin Console Console.

Users should now have login IDs that match the Kerberos service principal name format.

Enabling SPNEGO authentication

Your application server will require modification before it can be compatible with the SPNEGO negotiation mechanism. Use NexJ Studio to change the server's authentication properties.

To configure the application server to use SPNEGO authentication:

  1. Open NexJ Studio.
  2. Open the environment or server file from the Deployment tab to configure your production server's settings.
  3. In the Security tab, define the following values:
    • Authentication Protocol: <spnego>
    • Authentication Domain: <DOMAIN.EXT>
    • Authentication Service: <HTTP/host.domain.ext>
  4. Save the environment or server file.
  5. Deploy the NexJ Model on the application server using the Deploy Model button
    on the toolbar.

Any administrative user (in this example, jsmith@NEXJDEMO.LOCAL) can now log into NexJ CRM or NexJ Admin Console without being prompted.

Configuring user browsers for silent single sign-on

Silent single sign-on allows users to access NexJ applications without being prompted to supply login information multiple times per session. Client Internet browsers must be configured to share their login information with the application server. For silent single sign-on to work, the browser must recognize the application server as a trusted domain.


If silent single sign-on fails on a Windows operating system, look in the system event log for warning entries entitled "LSA SPNEGO" and in the application event log for group policy update errors. If you find these errors, remove any entries from Control Panel → User Accounts → Advanced → Manage Passwords and reboot the computer.

Configuring silent single sign-on for Internet Explorer

In Microsoft Internet Explorer, the application server host URL must be listed in the browser preferences as a trusted domain.

To set the application server as a trusted domain in Internet Explorer:

  1. In the browser, from the Tools menu open the Internet Options dialog. Click the Security tab.
  2. Select the Local Intranet icon and click the Sites button.
  3. In the Local Intranet dialog, ensure that the Include all local (intranet) sites not listed in other zones checkbox is selected. Click the Advanced button.
  4. In the Advanced Local Intranet dialog, fill in the Add this Web site to the zone field with the Web address of the host name: http[s]://host.domain.ext.
  5. Click Close to complete this step. The Local Intranet window closes.
  6. Click the Advanced tab in the Internet Options dialog.
  7. In the Settings list, ensure that the Enable Integrated Windows Authentication checkbox is selected.
  8. Click OK to close the Internet Options dialog.
  9. Restart Internet Explorer to activate these settings.

Your browser is now compatible with silent single sign-on authentication.

Configuring servers for cross-server SSO 

As of NexJ CRM 9.9, an extension of the existing NexJ single sign-on (SSO) system supports use cases with multiple NexJ servers. The expected usage is for more than one AFL server, where the Portal server acts as the primary source of trust and the Portal application hosts portlets from other remote servers, possibly in a cross-domain setup. The remote portlets must be set to use secure communications using HTTPS. It is recommended both server types use HTTPS.

On the Portal server, the portlets participating in the RemoteToken SSO extension must be listed in the Hosts section of the environment file. In addition, you must create a user for remote login using the service with the sso:RemoteTokenValidate privilege to validate the implementation.

On the secondary remote portlet server, the sso:RemoteToken channel must be configured in the environment file, with the URL set to the Portal server's JSON endpoint and the user set to the previously mentioned remote login user. NexJ recommends that you use certificates to verify identity. In addition, the user with the same login must exist on both servers. It is assumed that the user login belongs to the same user as long as the login matches.

When upgrading to NexJ CRM 9.9, the contents of the SSOSecurityContextConfig table in the database will be reset. If any settings were changed in the database without modifying the project's model, they will need to be set again after upgrading.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.