« Back to docs

Setting up smartcard/certificate store authentication

If you have a Professional or Enterprise subscription, you can specify smartcard/certificate store authentication for VNC Server instead of system authentication. This means that connecting VNC Viewer users are transparently authenticated using a digital certificate they own, without having to enter a password.

Note

You can combine this authentication scheme with others in order to specify multi-factor authentication for VNC Server.

../_images/VNC_Server_Options_Dialog_Certificate_Authentication.png

Note the following requirements:

  • The VNC Server computer must be joined to a domain managed by Active Directory.
  • Each desktop computer running VNC Viewer must have access to an X.509 digital certificate, stored on a pluggable smartcard or authentication token, or in a suitable certificate store on the computer. Note you cannot connect from a device running VNC Viewer for iOS, Android or Chrome in this release.
  • The X.509 certificate issued to each VNC Viewer user must meet this specification.
  • The user account of each prospective VNC Viewer user must be registered with VNC Server, and suitable session permissions assigned.

Setting up the VNC Server computer

Perform the following steps:

  1. Make sure the computer is joined to a domain managed by Active Directory. Under Linux, see these pointers for Debian-based, Red Hat-based and SUSE computers.

  2. Enable the Active Directory Certificate Services role on at least one domain controller.

  3. Specify this authentication scheme, either by:

    • Selecting the Smartcard/certificate store option from the Authentication dropdown.
    • Setting the VNC Server Authentication parameter.
  4. Under Linux, configure VNC Server to identify the domain controller hosting the LDAP server.

    Either set the VNC Server LdapCertificateUserStore, LdapCertificateIntermediateStore and LdapCertificateTrustStore parameters, or configure the LDAP server itself by adding HOST <your DC> to the LDAP library’s configuration file (for example, /etc/ldap/ldap.conf under Ubuntu or /etc/openldap/ldap.conf under CentOS).

  5. Under Linux or Mac, obtain a LDAP-compatible library.

    Note that a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2 under Ubuntu, /lib64/libldap-2.4.so.2 under CentOS, or /usr/lib/libldap.dylib under Mac. Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  6. Under Linux, create an /etc/vnc/ldaplib symbolic link pointing to the location of the LDAP-compatible library (above). If third party software is installed, make sure the symbolic link points to the third party version and not the system version.

    Note

    This symbolic link is also required under Mac but VNC Server should create it for you at install-time (providing libldap.dylib can be found).

  7. Under Linux, create /etc/vnc/kinit and /etc/vnc/klist symbolic links pointing to /usr/bin/kinit and /usr/bin/klist respectively. If third party software is installed, make sure the symbolic links point to the third party versions and not the system versions.

    Note

    These symbolic links are also required under Mac but VNC Server should create them for you at install-time.

  8. Register the user accounts of all prospective VNC Viewer users with VNC Server, either by:

    Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.

Setting up the VNC Viewer desktop computer

Note

You cannot connect from a device running VNC Viewer for iOS, Android or Chrome in this release.

Perform the following steps:

  1. Create a suitable X.509 certificate for the VNC Viewer user. Active Directory Certificate Services is recommended:

    • Use an RSA key, or an ECDSA key with a P-256, P-384 or P-521 curve.
    • Specify the Client Authentication Extended Key Usage (or no key usages). The OID for this usage is 1.3.6.1.5.5.7.3.2. Note under Windows, VNC Viewer will skip certificates if this key usage has been disabled via Windows key usage properties.
    • Make sure VNC Viewer can extract the user account name from the certificate. By default, the name is extracted in “User-Principal Name” format (UPN), either from the certificate’s User Principal Name (stored as a Subject Alternative Name with OID 1.3.6.1.4.1.311.20.2.3) or from an email address stored as a Subject Alternative Name (RFC 822 name). Set the VNC Viewer CertificateUsername parameter to customize user name mapping.
  2. Provision the computer with the certificate:

    • If the VNC Viewer user will plug a smartcard or authentication token into the computer, make sure that person knows the PIN.

      Under Windows, no set up is required to enable VNC Viewer to load certificates from a smartcard/token. Under macOS Sierra (10.12), no set up is required providing the smartcard/token is supported by Apple’s CryptoKit drivers. Under Linux, and versions of macOS earlier than 10.12, you must use a PKCS #11 library to enable VNC Viewer to load certificates, such as that provided by the OpenSC project. To do this, set the VNC Viewer Pkcs11Lib parameter to the full path of the library, for example /usr/lib/opensc-pkcs11.so.

    • If the certificate will reside in a certificate store on the computer itself, make sure:

      • Under Windows, the certificate is in the Personal > Certificates store (using a tool such as certmgr.msc).
      • Under Mac, the certificate is in the login keychain.

      Under Linux, please contact Support to see how to load certificates from a certificate store.

  3. Make sure VNC Viewer is set to prefer smartcard/certificate store authentication, either by:

    • Turning on Authenticate using a smartcard or certificate store if possible in the VNC Viewer Properties dialog for connections to the VNC Server computer.
    • Setting the VNC Viewer AuthCertificate parameter to <auto>.
×