VNC^® Enterprise Edition User Guide

Contents

Authenticating connections to VNC Server

By default, a user must authenticate in order to connect to VNC Server. Note this is not the same as logging on to the host computer.

VNC Enterprise Edition is designed to be secure so authentication rules are strict out-of-the-box. You can relax the rules, or bypass them altogether, if you consider it safe to do so. For more information, start with Relaxing the authentication rules.

By default, under all platforms, VNC Server specifies platform-native authentication. This means that a user must supply the credentials (that is, a user name and password) of a host computer user in order to connect. For more information, read the section appropriate to the platform of the host computer below.

Note: Platform-native authentication is not available in VNC Personal Edition. The default authentication mechanism is VNC password.

Note that in some circumstances, a host computer user might not have set a password on the primary user account (this may be the case when connecting to friends and family, for example). In this circumstance, the default authentication mechanism must be changed to VNC password, or else authentication disabled. A user cannot specify a blank password in order to connect.

Windows

Under Windows, platform-native authentication is specified by the default Windows password option in the Authentication dropdown of the VNC Server Properties dialog. For more information on this dialog, see Using the VNC Server Properties dialog.

(Windows XP)

This means, to connect to VNC Server:

• In Service Mode, a user must supply the credentials of a member of the Administrators group.

• In User Mode, a user must supply either:

— The credentials of the currently logged on host computer user (that is, the user starting VNC Server).

— The credentials of a member of the Administrators group.

You can add different users or groups to the authentication list if you do not want to distribute the credentials of members of the Administrators group. For more information, see Managing users and groups in the authentication list.

• If the credentials of a member of the Administrators group were supplied, a Full set of VNC permissions is granted to the connected user.

• If the credentials of any other host computer user were supplied, a Default set of VNC permissions is granted.

For more information on what this means, and how to revoke VNC permissions in order to restrict access to functionality, see Restricting functionality for particular connected users.

Once connected, a user has the same privileges (that is, access rights) on the host computer as the currently logged on host computer user. This need not be a user with administrative privileges even if the credentials of one were supplied in order to connect to VNC Server. The opposite also holds true: a connected user has administrative privileges on the host computer if such a user is currently logged on. Note that if VNC Server is running in Service Mode and no host computer user is logged on, then the connected user must log on to Windows in order to continue.

UNIX or Linux

Under UNIX or Linux, platform-native authentication is specified by the default UNIX password option in the Authentication dropdown of the VNC Server Properties dialog. For more information on this dialog, see Using the VNC Server Properties dialog.

(Ubuntu 8.10 Linux)

This means, to connect to VNC Server in either User Mode or in Virtual Mode, a user must supply the credentials of the host computer user starting VNC Server. You can add different users or groups to the authentication list if you do not want to distribute the credentials of this host computer user. For more information, see Managing users and groups in the authentication list.

Note that the credentials supplied by a user in order to connect to VNC Server determine the VNC permissions granted to that user. VNC permissions control which features of VNC Enterprise Edition a connected user is allowed to use. By default, a Full set of VNC permissions is granted. For more information on what this means, and how to revoke VNC permissions in order to restrict access to functionality, see Restricting functionality for particular connected users.

Once connected, a user has the same privileges (that is, access rights) on the host computer as the host computer user starting VNC Server. This need not be a user with administrative privileges even if the credentials of one were supplied in order to connect to VNC Server. The opposite also holds true: a connected user has administrative privileges on the host computer if such a user started VNC Server.

Mac OS X

Under Mac OS X, platform-native authentication is specified by the default Mac password option in the Authentication dropdown of the VNC Server Properties dialog. For more information on this dialog, see Using the VNC Server Properties dialog.

(Mac OS X 10.5)

This means, to connect to VNC Server:

• In Service Mode, a user must supply the credentials of a member of the admin group.

• In User Mode, a user must supply the credentials of the host computer user starting VNC Server.

You can add different users or groups to the authentication list if you do not want to distribute the credentials of host computer users with administrative privileges. For more information, see Managing users and groups in the authentication list.

Once connected to VNC Server:

• In Service Mode, a user has the same privileges (that is, access rights) as the currently logged on host computer user. If no host computer user is logged on, then the user must log on in order to continue.

• In User Mode, a user has the same privileges as the host computer user starting VNC Server.

In either case, this need not be a host computer user with administrative privileges even if the credentials of one were supplied in order to connect to VNC Server. The opposite also holds true: a connected user has administrative privileges on the host computer if such a user either started VNC Server (User Mode) or is currently logged on (Service Mode).

Managing users and groups in the authentication list

By default, VNC Server specifies platform-native authentication, which means that a user must supply the credentials of a host computer user in order to connect to VNC Server. Under certain circumstances, this may be the credentials of a host computer user with administrative privileges.

If you want to use platform-native authentication but do not want to distribute the credentials of host computer users with administrative privileges, you can add host computer users or groups with less sensitive credentials to the VNC Server authentication list. (Alternatively, you could just choose a different authentication mechanism; for more information, see Relaxing the authentication rules.)

To manage users and groups in the authentication list, open the VNC Server Properties dialog. For more information on this dialog, see Using the VNC Server Properties dialog. On the Connections tab, click the Configure button. Providing either Windows password (or equivalent) or Single sign-on is selected in the Authentication dropdown, then the Permissions for VNC Server dialog opens:

(Windows XP)

To add a new host computer user or group, click the Add button. To remove an existing host computer user or group, select it in the list and click the Remove button. Note that a user can supply the credentials of any of the host computer users listed in Group or user names in order to connect to VNC Server.

Note that when you add a new host computer user or group to the authentication list, a Default set of VNC permissions is granted to users supplying those credentials in order to connect, even if this host computer user or group has administrative privileges on the host computer. For more information on VNC permissions, see Restricting functionality for particular connected users.

VNC® Enterprise Edition User Guide

VNC^® Enterprise Edition User Guide