NoMachine Support

Your questions answered

Knowledge Base

Searching in: Feature Requests
Filter the search results
Target version:
Last update:
Searching in: Feature Requests
ID: FR03Q03797
Added on:  2019-03-14
Last update: 2019-08-23
Priority: High
Products: NoMachine Server
Target: 7
Status:  Approved
Allowing users to authenticate with separate accounts in multi-server environments

In case of environments adopting multiple authentication levels, e.g. domain user authentication (AD) and subdomains, users may have to use a different account to log-in to different machines.

When these machines are part of a NoMachine multi-server environment (e.g. Cloud Server + Enterprise Desktops as child servers), by default the client tries to authenticate to the child server by using the same credentials provided by the user for logging-in to the Cloud Server host. Optionally, it should be possibile to configure the NoMachine multi-server infrastructure to let the NoMachine client ask the user for new credentials (username and password) to log-in to the child server.

In this way, administrators can have a separate account for users to log-in to the Cloud Server host and use one or more different accounts on the child servers, e.g. AD accounts.

A new switch for the command 'nxserver --serveradd' will allow to configure the multi-host environment for requesting the user's credentials to log-in to the child server: --auth-required yes|no.

Note that:

1) The child server must have password-based authentication enabled.

2) The  --auth-required option is available only when client connections are relayed through the parent server via server-to-server protocol ('tunnel') or routed ('system').

3) By default when 'system' is used, the same credentials provided to log-in to the main Cloud Server are re-used to authenticate to the child server. Specifying  --auth-required allows to override that behavior. The user will be requested for login and password for authenticating to the child machine.
4) Connections by NX protocol use by default token,tunnel. Be sure to specify the --forward-nx-methods option in order to exclude the 'token' method.

For example:

nxserver --serveradd <host:port> --forward-nx-methods system,tunnel --auth-required yes

This is not necessary for connections by SSH protocol, since the default methods are system,tunnel.


The 'nxserver --serveredit' and 'nxserver --serverlist' commands need to be updated as well to be aligned with this new implementation.

This new implementation requires changes to the NoMachine clients (GUI and web) for managing the request of authentication on the child server (

The NoMachine client administrative UI for adding child servers to the Cloud Server will also need to be updated for providing the new option (--auth-required)  (


Server usage:

--serveradd <server> [--protocol NX|SSH][--port <port>][--foreign][--target <uuid>]
                      [--forward-nx-methods token|system|tunnel]
                      [--forward-nx-host <server>] [--forward-nx-port <port>]
                      [--forward-ssh-methods token|system|tunnel]
                      [--forward-ssh-host <server>] [--forward-ssh-port <port>]
                      [--direct-access yes|no]
                      [--manual-selection yes|no]
                      [--label <label>]
                      [--comment <comment>]
                      [--strict-host-key-checking yes|no]
                      [--auth-required yes|no]

  Federate a remote host under this server, where <server> is IP or
  hostname of the remote host. Server-to-server communication uses by
  default NX protocol and port 4000. Change this by using --protocol
  and --port. To add a child server to a different parent server and
  build a multi-tier hierarchy, specify --target <uuid> where <uuid>
  is the id of the parent server. Provide --foreign to add Unix-like
  stations not supported by NoMachine software. Client connections
  are routed to the child server with the same protocol selected by
  user or traffic is relayed through the parent server via server-to-
  server protocol ('tunnel'). Foreign servers use tunnel forwarding.
  Alternative methods for NoMachine servers are 'token' (client is
  identified by OTP) and 'system' (it re-uses the same credentials
  used to authenticate to the parent server). If the child server is
  a NoMachine server and protocol is NX, default forwarding method is
  set to 'token,tunnel'; for SSH protocol it is 'system,tunnel'. To
  override the default behavior, provide the --forward-nx-methods or
  the --forward-ssh-methods option and specify a single value or a
  comma-separated list of values in a positional notation. Further
  parameters permit to route the client to a NoMachine server through
  a specific network interface and port: --forward-nx-host <server>
  and --forward-nx-port <port> for the NX protocol; --forward-ssh-
  host <server> and --forward-ssh-port <port> for SSH. A NoMachine
  child server by default accepts users' connections to its IP. Give
  '--direct-access no' to forbid that. By default, users can select
  the remote server. Use '--manual-selection no' to exclude a server
  from the list. The --label option permits to assign a name or short
  note to the server, displayed to users. Provide --comment to add
  a longer text visible only to administrators. For adding auto-
  matically the host key to known_hosts file (if SSH is used) or to
  client.crt (if NX protocol is used) on the server without being
  prompted to accept the key, set --strict-host-key-checking to 'no'.
  Set --auth-required to 'yes' to request username and password when
  the user connects to the child server in order to authenticate with
  separate accounts. This is not available for the 'token' method.


 --serveredit <server:port>|<uuid> [--target <uuid>]
                                  [--forward-nx-methods token|system|tunnel]
                                  [--forward-nx-port <port>] [--forward-nx-host <server>]
                                  [--forward-ssh-methods token|system|tunnel]
                                  [--forward-ssh-port <port>] [--forward-ssh-host<server>]
                                  [--direct-access yes|no]
                                  [--manual-selection yes|no]
                                  [--label <label>]
                                  [--comment <comment>]
                                  [--auth-required yes|no]

  Modify settings of a child server, identified by its id (<uuid>) or
  name (<server:port>). If it's not a first-level server provide the
  child server's uuid and use --target to specify the uuid of its
  parent server. Servers' uuid is displayed in the output of the
  'nxserver --serverlist --extended' command. To modify connection
  protocol and port, remove the remote host from this server and add
  it again.


Notify me when the FR is implemented.