« Back to docs

Setting up system authentication

If you have a Professional or Enterprise subscription, then by default VNC Server is set to use system authentication. This means that VNC Viewer users can authenticate to VNC Server using the same credentials they normally use to log on to their user account on the VNC Server computer.

_images/VNC_Server_Options_Dialog_System_Authentication.png

The system authentication scheme (labelled Windows password, Mac password or UNIX password) is typically both secure and convenient. System administrators commonly force the adoption of complex user names and passwords in enterprise environments, and users can authenticate using already-familiar credentials, and don’t have to remember yet another password.

Note

You can combine this authentication scheme with others in order to specify multi-factor authentication for VNC Server.

The user account of each prospective VNC Viewer user must be registered with VNC Server. Certain admin groups are pre-registered, to enable connectivity out-of-the-box. This may mean no set up is required, especially under Windows and Mac.

Note

Set up is required to register non-admin users and groups with VNC Server, and prior configuration is required to register domain accounts under Linux.

To authenticate to VNC Server, a registered VNC Viewer user can supply the credentials:

  • Under any platform, of a local user account (that is, one set up directly on the computer).
  • Under Windows and Mac, providing the computer is joined to a domain, of a domain user account (one that is managed by a network service such as Active Directory). Note that prior configuration is required under Linux; see below.
  • Under Windows 8 or later, providing the computer is connected to the Internet, of a cloud user account (that is, of a Microsoft account in which the email address constitutes the user name).

Setting up domain accounts under Linux

When VNC Server is installed on Linux platforms, a suitable PAM library checking credentials against the local database store only is automatically referenced. To see which library this is, and also the default authorization and account rules specified, examine the following file:

  • Under modern versions of Linux: /etc/pam.d/vncserver.
  • Under Solaris, HP-UX, and older versions of Linux: /etc/pam.conf (see lines starting vncserver).

Note

Under AIX, VNC Server uses LAM by default; contact Support for more information. To use PAM, specify the UsePam parameter.

To check domain account credentials against an LDAP or an Active Directory password store:

  1. Obtain a PAM library that provides this functionality, for example libpam-krb5.so. Running the command vncinitconfig -pam may help find a suitable library already in use on your system.

  2. Reference that library, and specify appropriate account and authentication rules, in the following file:

    • For platforms using /etc/pam.d/vncserver, in /etc/pam.d/vncserver.custom. Create this file if it does not exist.
    • For platforms using /etc/pam.conf, edit this same file to create vncserver.custom rules pointing to the new PAM library.
  3. In an appropriate system-wide VNC Connect configuration file (for example /etc/vnc/config.d/common.custom), specify the PamApplicationName parameter to register your changes with VNC Server:

    PamApplicationName=vncserver.custom

Note that a suitable PAM library for your platform may already be installed on the VNC Server computer, and appropriate account and authentication rules specified. For example, if your system has been Kerberized, or third party software such as Centrify or PowerBroker Identity Services installed to integrate with Active Directory, then you may be able to simply reference changes already made.

For example, under Debian-compatible Linux, you may be able to edit /etc/pam.d/vncserver.custom as follows:

@include common-auth
@include common-account
@include common-session

For Red Hat-compatible Linux, the equivalent edits might be:

auth      include    password-auth
account   include    password-auth
session   include    password-auth

Registering domain accounts with VNC Server

Domain accounts must be registered with VNC Server in the standard way, either by:

You may need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe. Note that connecting users may also need to supply the user name qualified in this way too.

×