« Back to docs

Setting up single sign-on authentication (SSO)

If you have an Enterprise subscription, you can specify single sign-on (SSO) authentication for VNC Server instead of system authentication. This means that connecting VNC Viewer users are transparently authenticated by secure network services (Kerberos), without having to enter a password.

Note

You can combine this authentication scheme with others in order to specify multi-factor authentication for VNC Server.

_images/VNC_Server_Options_Dialog_SingleSignOn_Authentication.png

Note the following requirements, which may mean that SSO is unsuitable for use in a home or small office environment:

  • The VNC Server computer must be joined to a domain managed by Active Directory.
  • Each desktop computer running VNC Viewer must be joined to the same domain. Note you cannot connect from a device running VNC Viewer for iOS, Android or Chrome.
  • Each VNC Viewer user must log on to their desktop computer using the credentials of a domain account; that is, of a user account managed by the domain controller.
  • The user account of each prospective VNC Viewer user must be registered with VNC Server, and suitable session permissions assigned.

By default, note that a fallback scheme is defined in case SSO fails for any reason.

Setting up the VNC Server computer

Perform the following steps:

  1. Make sure the computer is joined to a domain.

  2. Specify this authentication scheme, either by:

    • Selecting the Single sign-on option from the Authentication dropdown on VNC Server’s Options > Security page.
    • Setting the VNC Server Authentication parameter.
  3. Under Linux or Mac, obtain a GSSAPI-compatible library.

    Note that a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so under Ubuntu or /usr/lib/libgssapi_krb5.dylib under Mac. Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  4. Under Linux or Mac, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  5. Under Mac 10.7 only, if you are integrating with Active Directory, edit the /etc/pam.d/authorisation file as follows:

    auth    optional    pam_krb5.so            use_first_pass use_kcminit default_principal
    auth    sufficient  pam_krb5.so            use_first_pass default_principal
    auth    optional    pam_ntlm.so            use_first_pass
    auth    required    pam_opendirectory.so   use_first_pass nullok
    account required    pam_opendirectory.so
    
  6. Under Mac 10.7 onwards, use Directory Utility (/System/Library/CoreServices/Directory Utility.app) to ascertain the service principal name of the computer as it is registered with the domain controller, for example:

    _images/Indent1_mac_sso_directory_utility.png

    Assign the dsAttrTypeNative:servicePrincipalName ‘host’ value to the VNC Server KerberosPrincipalName parameter, so in this case host/users-macbook-p.dev.realvnc.ltd.

  7. Register the domain accounts of all prospective VNC Viewer users with VNC Server, either by:

    Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.

Providing a fallback scheme

If SSO fails for any reason (for example, the domain controller cannot be contacted), VNC Server automatically falls back to the authentication scheme specified by the VNC Server Authentication parameter. By default, this is system authentication, and connecting users are prompted to supply the credentials of a user account valid for logging on to the VNC Server computer.

This should work out-of-the-box under Windows and Mac. Under Linux, however, connecting users are only able to supply the credentials of local user accounts by default. To enable connecting users to supply their own credentials (that is, of domain accounts), you must pre-configure VNC Server.

Setting up the VNC Viewer desktop computer

Note

You cannot connect from a device running VNC Viewer for iOS, Android or Chrome.

Perform the following steps:

  1. Make sure the computer is joined to the same domain as the VNC Server computer.

  2. Make sure the VNC Viewer user logs on to their computer using the credentials of a domain account.

  3. Under Linux or Mac, obtain a GSSAPI-compatible library.

    Note a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so under Ubuntu or /usr/lib/libgssapi_krb5.dylib under Mac. Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  4. Under Linux or Mac, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  5. Make sure VNC Viewer is set to prefer SSO, either by:

    • Turning on Authenticate using single sign-on (SSO) if possible in the VNC Viewer Properties dialog for the connection.
    • Setting the VNC Viewer SingleSignOn parameter to TRUE.
×