Setting up Single Sign-on Authentication (SSO)

Follow

If you have an Enterprise subscription, you can specify single sign-on (SSO) authentication for VNC Server instead of system authentication. This means that connecting VNC Viewer users are transparently authenticated by secure network services (Kerberos), without having to enter a password.

*You can combine this authentication scheme with others in order to specify multi-factor authentication for VNC Server.

VNC_Server_Options_Dialog_SingleSignOn_Authentication.png

Note the following requirements, which may mean that SSO is unsuitable for use in a home or small office environment:

  • The VNC Server computer must be joined to a domain managed by Active Directory.
  • Each desktop computer running VNC Viewer must be joined to the same domain. Note you cannot connect from a device running VNC Viewer for iOS, Android or Chrome.
  • Each VNC Viewer user must log on to their desktop computer using the credentials of a domain account; that is, of a user account managed by the domain controller.
  • The user account of each prospective VNC Viewer user must be registered with VNC Server, and suitable session permissions assigned.

By default, note that a fallback scheme is defined in case SSO fails for any reason.

Setting up the VNC Server computer

Perform the following steps:

  1. Make sure the computer is joined to a domain.

  2. Specify this authentication scheme, either by:

    • Opening VNC Server’s Options > Security page and selecting Single sign-on from the Authentication dropdown.
    • Setting the VNC Server Authentication parameter.
  3. Under Linux or Mac, obtain a GSSAPI-compatible library.
    Note that a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libgssapi_krb5.sounder Ubuntu or /usr/lib/sasl2/libgssapiv2.2.so under Mac.
    Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  4. Under Linux or Mac, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  5. Register the domain accounts of all prospective VNC Viewer users with VNC Server, either by:

    Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.

Providing a fallback scheme

If SSO fails for any reason (for example, the domain controller cannot be contacted), VNC Server automatically falls back to the authentication scheme specified by the VNC Server Authentication parameter. By default, this is system authentication, and connecting users are prompted to supply the credentials of a user account valid for logging on to the VNC Server computer.

This should work out-of-the-box under Windows and Mac. Under Linux, however, connecting users are only able to supply the credentials of local user accounts by default. To enable connecting users to supply their own credentials (that is, of domain accounts), you must pre-configure VNC Server.

Troubleshooting

MacOS

If you experience issues authenticating with SSO on MacOS, there may be a mismatch between the expected and actual values for Kerberos principals. To check if this is the case, use Directory Utility (/System/Library/CoreServices/Directory Utility.app) to ascertain the service principal name of the computer as it is registered with the domain controller, for example:

Indent1_mac_sso_directory_utility.png

Assign the dsAttrTypeNative:servicePrincipalName ‘host’ value to the VNC Server KerberosPrincipalName parameter, so in this case host/users-macbook-p.dev.realvnc.ltd.

Setting up the VNC Viewer desktop computer

*You cannot connect from a device running VNC Viewer for iOS, Android or Chrome.

Perform the following steps:

  1. Make sure the computer is joined to the same domain as the VNC Server computer.

  2. Make sure the VNC Viewer user logs on to their computer using the credentials of a domain account.

  3. Under Linux or Mac, obtain a GSSAPI-compatible library.

    Note a suitable library may already be present on your system, for example /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so under Ubuntu or /usr/lib/libgssapi_krb5.dylib under Mac. On MacOS Big Sur, you may need to use /usr/lib/sasl2/libgssapiv2.2.so.
    Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  4. Under Linux or Mac, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  5. Make sure VNC Viewer is set to prefer SSO, either by:

    • Turning on Authenticate using single sign-on (SSO) if possible in the VNC Viewer Properties dialog for the connection.
    • Setting the VNC Viewer SingleSignOn parameter to TRUE.
Was this article helpful?
4 out of 10 found this helpful

Comments

1 comment
  • Can anyone explain how to set it in RHEL 7

    0
    Comment actions Permalink

Please sign in to leave a comment.