If you have a Professional or Enterprise subscription, then by default VNC Server is set to use system authentication. This means that VNC Viewer users can authenticate to VNC Server using the same credentials they normally use to log on to their user account on the VNC Server computer.
The system authentication scheme (labelled Windows password, Mac password or UNIX password) is typically both secure and convenient. System administrators commonly force the adoption of complex user names and passwords in enterprise environments, and users can authenticate using already-familiar credentials, and don’t have to remember yet another password.
*You can combine this authentication scheme with others in order to specify multi-factor authentication for VNC Server.
The user account of each prospective VNC Viewer user must be registered with VNC Server. Certain admin groups are pre-registered, to enable connectivity out-of-the-box. This may mean no set up is required, especially under Windows and Mac.
*Set up is required to register non-admin users and groups with VNC Server, and prior configuration is required to register domain accounts under Linux.
To authenticate to VNC Server, a registered VNC Viewer user can supply the credentials:
- Under any platform, of a local user account (that is, one set up directly on the computer).
- Under Windows and Mac, providing the computer is joined to a domain, of a domain user account (one that is managed by a network service such as Active Directory). Note that prior configuration is required under Linux; see below.
- Under Windows 8 or later, providing the computer is connected to the Internet, of a cloud user account (that is, of a Microsoft account in which the email address constitutes the user name).
Setting up domain accounts under Linux
When VNC Server is installed on Linux platforms, a suitable PAM library checking credentials against the local database store only is automatically referenced. To see which library this is, and also the default authorization and account rules specified, examine the following file:
- Under modern versions of Linux:
/etc/pam.d/vncserver. - Under Solaris, HP-UX, and older versions of Linux:
/etc/pam.conf(see lines startingvncserver).
*Under AIX, VNC Server uses LAM by default; contact Support for more information. To use PAM, specify the UsePam parameter.
To check domain account credentials against an LDAP or an Active Directory password store:
-
Obtain a PAM library that provides this functionality, for example
libpam-krb5.so. Running the commandvncinitconfig -pammay help find a suitable library already in use on your system. -
Reference that library, and specify appropriate account and authentication rules, in the following file:
- For platforms using
/etc/pam.d/vncserver, in/etc/pam.d/vncserver.custom. Create this file if it does not exist. - For platforms using
/etc/pam.conf, edit this same file to createvncserver.customrules pointing to the new PAM library.
- For platforms using
-
In an appropriate system-wide VNC Connect configuration file (for example
/etc/vnc/config.d/common.custom), specify the PamApplicationName parameter to register your changes with VNC Server:PamApplicationName=vncserver.custom
Note that a suitable PAM library for your platform may already be installed on the VNC Server computer, and appropriate account and authentication rules specified. For example, if your system has been Kerberized, or third party software such as Centrify or PowerBroker Identity Services installed to integrate with Active Directory, then you may be able to simply reference changes already made.
For example, under Debian-compatible Linux, you may be able to edit /etc/pam.d/vncserver.custom as follows:
@include common-auth
@include common-account
@include common-session
For Red Hat-compatible Linux, the equivalent edits might be:
auth include password-auth
account include password-auth
session include password-auth
Registering domain accounts with VNC Server
Domain accounts must be registered with VNC Server in the standard way, either by:
- Setting the VNC Server Permissions parameter.
- Opening VNC Server’s Options > Users & Permissions page and following these instructions.
You may need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe. Note that connecting users may also need to supply the user name qualified in this way too.
Comments
Please sign in to leave a comment.