Setting up System Authentication

Follow

What is System Authentication?

If you have a Professional or Enterprise subscription, then by default VNC Server is set to use system authentication. This means that VNC Viewer users can authenticate to VNC Server using the same credentials they normally use to log on to their user account on the VNC Server computer.

VNC_Server_Options_Dialog_System_Authentication.png

The system authentication scheme (labelled Windows passwordMac password or UNIX password) is both secure and convenient:

  1. System administrators often implement rules such as password complexity and ageing in enterprise environments to meet organisational security policies
  2. Users can authenticate using already-familiar credentials, and don’t have to remember yet another password.

*You can combine this authentication scheme with others in order to specify multi-factor authentication for VNC Server.

Setting up System Authentication

The user account of each prospective VNC Viewer user must be registered with VNC Server. Certain admin groups are pre-registered, to enable connectivity out-of-the-box. This may mean no set up is required, especially under Windows and Mac.

*Set up is required to register non-admin users and groups with VNC Server, and prior configuration is required to register domain accounts under Linux.

To authenticate to VNC Server, a registered VNC Viewer user can supply the credentials:

  • Under any platform, of a local user account (that is, one set up directly on the computer).
  • Under Windows and Mac, providing the computer is joined to a domain, of a domain user account (one that is managed by a network service such as Active Directory). Note that prior configuration is required under Linux; see below.
  • Under Windows 8 or later, if the local user account is linked to a Microsoft account, the email address and password of the linked Microsoft account.

If you are unsure of the username to use, please see this article.

Setting up domain accounts under Linux

When VNC Server is installed on Linux platforms, a suitable PAM library checking credentials against the local database store only is automatically referenced. 

To configure VNC Server to allow authentication with domain accounts, the below steps will enable a basic configuration to achieve this:

  1. Create /etc/pam.d/vncserver.custom with the below contents, depending on your operating system:
    Ubuntu
    @include common-auth
    @include common-account
    @include common-session

    RHEL / CentOS

    auth include password-auth
    account include password-auth
    session include password-auth
  2. Create/edit /etc/vnc/config.d/common.custom and add the line:
    PamApplicationName=vncserver.custom
  3. Restart VNC Server
  4. Connect with VNC Viewer and try authenticating with domain credentials. Note: you may need to qualify usernames with the domain name, for example DEV.ACMECORP.COM\johndoe

If you are unable to authenticate with domain credentials after following these steps, please contact Support.

Setting up domain accounts under Legacy *nix

When VNC Server is installed on legacy *nix platforms, a suitable PAM library checking credentials against the local database store only is automatically referenced. To see which library this is, and also the default authorization and account rules specified, examine the following file: /etc/pam.conf (see lines starting vncserver).

*Under AIX, VNC Server uses LAM by default; contact Support for more information. To use PAM, specify the UsePam parameter.

Registering domain accounts with VNC Server

If the domain accounts you are using are not part of any built-in or local groups on the computer running VNC Server, domain accounts must be registered with VNC Server in the standard way, either by:

You may need to qualify usernames with the domain name, for example DEV.ACMECORP.COM\johndoe. Note that connecting users may also need to supply the user name qualified in this way too.

Was this article helpful?
10 out of 48 found this helpful

Comments

0 comments

Please sign in to leave a comment.