« Back to docs

Setting up system authentication on a Linux domain

If you have a Professional or Enterprise subscription, then by default VNC Server is set to use system authentication.

Under Linux, if you intend VNC Viewer users to authenticate using the credentials of domain accounts, you must pre-configure VNC Server; see the instructions below. In all other circumstances, system authentication should work out-of-the-box.

Setting up VNC Server for domain accounts

When VNC Server is installed, a suitable PAM library checking credentials against the local database store is automatically referenced. To see which library this is, and also the default authorization and account rules specified, examine the following file:

  • Under modern versions of Linux: /etc/pam.d/vncserver.
  • Under Solaris, HP-UX, and older versions of Linux: /etc/pam.conf (see lines starting vncserver).

Note

Under AIX, VNC Server uses LAM by default; contact Support for more information. To use PAM, specify the UsePam parameter.

To check credentials against an LDAP or an Active Directory password store:

  1. Obtain a PAM library that provides this functionality, for example libpam-krb5.so. Running the command vncinitconfig -pam may help find a suitable library already in use on your system.

  2. Reference that library, and specify appropriate account and authentication rules, in the following file:

    • For platforms using /etc/pam.d/vncserver, in /etc/pam.d/vncserver.custom. Create this file if it does not exist.
    • For platforms using /etc/pam.conf, edit this same file to create vncserver.custom rules pointing to the new PAM library.
  3. In an appropriate system-wide VNC Connect configuration file (for example /etc/vnc/config.d/common.custom), specify the PamApplicationName parameter to register your changes with VNC Server:

    PamApplicationName=vncserver.custom

Note that a suitable PAM library for your platform may already be installed on the VNC Server computer, and appropriate account and authentication rules specified. For example, if your system has been Kerberized, or third party software such as Centrify or PowerBroker Identity Services installed to integrate with Active Directory, then you may be able to simply reference changes already made.

For example, under Debian-compatible Linux, you may be able to edit /etc/pam.d/vncserver.custom as follows:

@include common-auth
@include common-account
@include common-session

For Red Hat-compatible Linux, the equivalent edits might be:

auth      include    password-auth
account   include    password-auth
session   include    password-auth

Registering domain accounts with VNC Server

Domain accounts must be registered with VNC Server in the standard way, using either:

  • The VNC Server Permissions parameter.
  • VNC Server’s Options > Users & Permissions page.

You may need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe. Note that connecting users may also need to supply the user name qualified in this way too.

×