VNC +Certificate Authentication

James Weatherall jnw "at" realvnc.com
Fri Jul 27 12:52:00 2007 

Hi John,

Single Sign-On allows the VNC server to fully authenticate the connecting
viewer without the viewer having to prompt the user to enter the username
and password, provided that the viewer & server systems share a common
authentication authority.  Single Sign-On does not actually log the user on
to the console of the remote system in current releases, however.

What you're trying to do is reasonable, I think, but isn't supported by
current releases.

Cheers,

Wez @ RealVNC Ltd


> -----Original Message-----
> From: vnc-list-admin "at" realvnc.com 
> [mailto:vnc-list-admin "at" realvnc.com] On Behalf Of John Morgan Salomon
> Sent: 26 July 2007 14:53
> To: vnc-list "at" realvnc.com
> Subject: VNC +Certificate Authentication
> 
> Hi there,
> 
> I apologize if the answer to this question is staring me 
> right in the  
> face in some FAQ or so, but I haven't been able to find it.
> 
> We have two Windows boxes connecting to each other in a test lab  
> (W2k3 server sp1 and Windows XP sp1.)  Both are running evaluation  
> copies of RealVNC4 enterprise edition.
> 
> I am trying to find out the following:
> 
> 1) whether there is a possibility of authenticating to a VNC server  
> using an x.509 certificate (in our case from a smart card)
> 2) whether it's possible to use certificate-based NT domain  
> credentials to log directly in through the GINA on the target system  
> (we cannot get this working for some reason; we selected 
> 'single sign- 
> on' in the VNC server configuration menu, but we still get the  
> server's login GINA window.)  Does it matter whether this runs as a  
> Windows service or in user mode?
> 3) whether there is provision, existing or planned, for forwarding a  
> local PCSC channel to a VNC server the way RDP does
> 
> stunnel is not an option (we don't care about authenticating the  
> underlying connection, but the actual user interaction with either  
> the MS GINA or, failing that, the VNC server.)
> 
> Basically we're trying to see if there's a way a user can 
> start a VNC  
> session to a Windows domain controller and authenticate himself to  
> Windows on the target system with a smart card/certificate 
> issued for  
> Windows domain login.
> 
> Any help/tips appreciated; is what we're trying to do totally 
> off the  
> wall?
> 
> Thanks,
> 
> -John
> _______________________________________________
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list