« Back to docs

Setting up single sign-on authentication (SSO)

If you have an Enterprise subscription, you can specify single sign-on (SSO) as the authentication scheme for VNC Server instead of system authentication. This means that VNC Viewer users do not have to supply credentials in order to connect to VNC Server, but are instead silently authenticated by secure network services.

_images/VNC_Server_Options_Dialog_SingleSignOn_Authentication.png

Note the following conditions, which may mean that single sign-on is unsuitable for use in a home or small office environment:

  • All prospective computers running VNC Server must be joined to a domain (a network managed by a domain controller, running specialized software such as Kerberos or Active Directory).
  • All prospective computers running desktop VNC Viewer must be joined to the same domain. Note this feature is not available for devices running VNC Viewer for iOS, Android or Chrome.
  • VNC Viewer users must log on to their computers using the credentials of domain accounts; that is, of user accounts managed by the domain controller.
  • A fallback scheme must be provided in case single sign-on fails for any reason.

Setting up the VNC Server computer

Perform the following steps:

  1. Make sure the computer is joined to a domain.

  2. Specify the single sign-on authentication scheme, using either:

    • The VNC Server Authentication parameter.
    • VNC Server’s Options > Security page.
  3. Under Linux or Mac, obtain a GSSAPI-compatible library.

    Note a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so under Ubuntu or /usr/lib/libgssapi_krb5.dylib under Mac. Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  4. Under Linux or Mac, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  5. Under Mac 10.7 only, if you are integrating with Active Directory, edit the /etc/pam.d/authorisation file as follows:

    auth    optional    pam_krb5.so            use_first_pass use_kcminit default_principal
    auth    sufficient  pam_krb5.so            use_first_pass default_principal
    auth    optional    pam_ntlm.so            use_first_pass
    auth    required    pam_opendirectory.so   use_first_pass nullok
    account required    pam_opendirectory.so
    
  6. Under Mac 10.7 onwards, use Directory Utility (/System/Library/CoreServices/Directory Utility.app) to ascertain the service principal name of the computer as it is registered with the domain controller, for example:

    _images/Indent1_mac_sso_directory_utility.png

    Assign the dsAttrTypeNative:servicePrincipalName ‘host’ value to the VNC Server KerberosPrincipalName parameter, so in this case host/users-macbook-p.dev.realvnc.ltd.

  7. Register the domain accounts of all prospective VNC Viewer users with VNC Server, using either:

    • The VNC Server Permissions parameter.
    • VNC Server’s Options > Users & Permissions page.

    Note you may need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.

Providing a fallback scheme

If single sign-on fails for any reason (for example, the domain controller cannot be contacted), VNC Server automatically falls back to the authentication scheme specified by the VNC Server Authentication parameter. By default, this is system authentication, and connecting users are prompted to supply the credentials of a user account valid for logging on to the VNC Server computer.

By default under Linux, connecting users are only able to supply the credentials of local user accounts. To enable connecting users to supply their own credentials (that is, of domain accounts), you must pre-configure VNC Server.

Setting up each VNC Viewer computer

Perform the following steps:

  1. Make sure the computer is joined to the same domain as the VNC Server computer.

  2. Make sure the VNC Viewer user logs on to their computer using the credentials of a domain account.

  3. Under Linux or Mac, obtain a GSSAPI-compatible library.

    Note a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so under Ubuntu or /usr/lib/libgssapi_krb5.dylib under Mac. Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  4. Under Linux or Mac, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  5. Make sure VNC Viewer is set to use single sign-on, by either:

    • Setting the VNC Viewer SingleSignOn parameter to TRUE.
    • Turning on Use single sign-on if VNC Server supports it in the VNC Viewer Properties dialog for a connection.
×