Knowledge Base

NX authorization code

When accessing the NX remote desktop service at nx.reading.ac.uk:4443 from off-campus, you may be prompted to enter a one-time “Authorization Code.” This code is either generated by an authentication app (if configured) or sent to your University of Reading (UoR) email address.

 

In this article, you will find key instructions on how to:

  • Section 1: Check if you need to apply for access.
  • Section 2: Login to NX using a one-time authentication code emailed to your UoR email address.
  • Section 3: Set up your authenticator app (optional, but recommended for experienced users).

 

1. Determine if you need to apply for access

Off-campus access to NX requires prior registration. If you’re not registered, after entering your UoR credentials and they are verified, you’ll receive an error message similar to:

Authentication Failed

If you’ve entered your password correctly but still see this message, you need to request access. Submit a ticket to the Digital Technology Services (DTS) to be added to the arc-remote-users group, which grants access to Linux/ARC remote services, including NX.

Important: Use your UoR email address or the self-service portal to submit your request. This ensures we can verify the authenticity of your application. Additional verification steps may be necessary in some cases.

When connecting from the UoR campus network, via VPN, or through arc-ssh.reading.ac.uk, only your UoR password is required—no additional authentication is needed.

 

2. Logging in using one-time email codes

After successfully entering your UoR password, you’ll be prompted for an authorization code, like in the following example:

If you haven’t set up an authenticator app, a 6-digit code will be sent to your university email with the subject line: arc-remote.reading.ac.uk off-campus access

To proceed:

  1. Open the email and locate the 6-digit code.

  2. Enter this code into the “Authentication code” field.

  3. If the code is mistyped or expires, a new code will be sent automatically.

Note: The code is valid only for the current authentication attempt and expires after 60 seconds. Ensure your email client is open and ready to receive the code to avoid delays. If the code expires, you’ll need to restart the login process to receive a new code.

New users of UoR Linux systems can stop here and just use the email codes to login. However, we recommend that all users, once they have some experience in using our systems, set up a more robust method for two-factor authentication. The method of authentication following in the next section will replace the email code authentication.

 

3. Setting up Google Authenticator (Recommended)

For a more reliable and efficient authentication method, we recommend setting up an authenticator app on your mobile phone, such as Microsoft Authenticator (this is preferred because it is already used with other UoR services) or Google Authenticator. Once configured, these apps generate time-based codes, eliminating the need for email-based authentication.

We recommend to replace email codes with Google Authenticator codes because email is not a reliable way to deliver the authentication code on time. There is a risk you might not be able to login when there is some delay with your email delivery. Note the authentication code for NX is the same as the one as used by arc-ssh so if you have already setup arc-ssh you just use those codes.

Some additional information: The general idea of Google Authenticator is as follows: A secret key is placed in a file on the server. On the ACT systems using this method of authentication the file is located at /var/authenticator/<UoR username>/.google_authenticator. The secret key is also transferred to your mobile device when you scan the QR code (you can also achieve this by copying the secret key by hand, or by using the URL to have the QR code displayed in a web browser), and it is stored in the authenticator app. The secret key plus the current time is used to generate time based verification codes. Comparing those verification codes confirms the identity of the device used to authenticate the connection.

 

Setup Instructions:

  1. Install the Microsoft Authenticator or Google Authenticator app on your mobile device (both apps are compatible and the setup instructions are the same in both cases).

  2. Log in to the NX service and open a terminal window. Alternatively, you can also follow the same process on arc-ssh.

  3. Run the setup script /usr/local/bin/google-authenticator to generate a QR code (see the example below).

  4. Scan the QR code using your authenticator app to link your account.

Once set up, your authenticator app will generate 6-digit codes required for future logins. This method is also compatible with arc-ssh.reading.ac.uk, allowing for a unified authentication approach across our remotely accessible servers.

EXAMPLE:

We initially login to https://nx.reading.ac.uk:4443 using the email code as the two-factor authentication method. Once we are connected, we run the script which replaces the email codes with Google Authenticator codes in a mate terminal, as follows:     

ab123456@nxnode3:~$ /usr/local/bin/google-authenticator 
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ab123456@arc-remote.reading.ac.uk%3Fsecret%3DFOO3L3KAPLYPSA7WG3D6YSJBAA%26issuer%3Darc-remote.reading.ac.uk

NX QR code

Your new secret key is: FOO3L3KAPLYPSA7WG3D6YSJBAA
Your verification code is 843654
Your emergency scratch codes are:
27275024
33549668
50127586
91900156
28478521

It makes sense to save a copy of the emergency  scratch codes. You can use them in case you are not able to login with the standard, time based, verification codes.

The URL, the QR code and the secret key contains the same secret, they should not be revealed, printed or stored in a file. 

If you have problems with the QR code displayed in the text console, you can use the provided URL, or you can copy the secret key as text. The configuration script is modified to store the Authenticator files in custom shared location, not in your shared home directory. This way, the secret used for off-campus authentication is more secure, and also setting it up on NX or arc-ssh will not affect how you login to other UoR services.

Note that every time you run the script, a new secret code is created and the old one is overwritten. That means that each time you run the script, you need to scan the QR code again.  

If you want to revert to using email codes, you will need to remove the file /var/authenticator/<UoR login>/.google_authenticator

 

DTS Status Page
Drop-in Sessions

ACT services access flow

News
Suggest Content…
Click here and let us know!

Related articles

Transferring files to and from Linux storage

NAG library

ssh iconExternally visible ssh server – arc-ssh

Recover a file on research storage

Using R and R Studio on RACC

ssh iconAccess to ACT Servers via an SSH Client

Running Matlab Scripts as Batch Jobs

Cronjobs on the Academic Computing Cluster

Python on the Academic Computing Cluster

Changing your current group ID during a login session