Single Sign-on authentication for RealVNC Server is not related to the RealVNC Account SSO feature.
By specifying Single sign-on authentication for RealVNC Server instead of system authentication, this means that connecting RealVNC Viewer users can be transparently authenticated by on-premise secure network services (Kerberos), without having to enter a password.
Note the following requirements, which may mean that SSO is unsuitable for use in a home or small office environment:
- The RealVNC Server computer must be joined to a domain managed by Active Directory.
- Each desktop computer running RealVNC Viewer must be joined to the same domain. Note you cannot connect from a device running RealVNC Viewer for Mobile.
- Each RealVNC Viewer user must log on to their desktop computer using the credentials of a domain account; that is, of a user account managed by the domain controller.
- The user account of each prospective RealVNC Viewer user must be registered with RealVNC Server, and suitable session permissions assigned.
By default, note that a fallback scheme is defined in case SSO fails for any reason.
You can combine this authentication scheme with others in order to specify multi-factor authentication for RealVNC Server.
Setting up the RealVNC Server computer
Configuring Single Sign-on
Perform the following steps:
-
Make sure the computer is joined to a domain.
-
Specify this authentication scheme, either by:
- Opening RealVNC Server’s Options > Security page and selecting Single sign-on from the Authentication dropdown.
- Setting the RealVNC Server Authentication parameter.
- Under Windows, skip to step 6.
-
Under Linux or macOS, obtain a GSSAPI-compatible library.
Note that a suitable library may already be present on your system.
For example,/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so
under Ubuntu; or/usr/lib/sasl2/libgssapiv2.2.so
under macOS.
Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory. -
Under Linux or macOS, create an
/etc/vnc/ssolib
symbolic link pointing to the location of the GSSAPI-compatible library (above). -
Register the domain accounts of all prospective RealVNC Viewer users with RealVNC Server, either by:
- Opening RealVNC Server’s Options > Users & Permissions page and following these instructions.
- Setting the RealVNC Server Permissions parameter.
Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example
DEV.ACMECORP.COM\johndoe
.
Providing a fallback scheme
If SSO fails for any reason (for example, the domain controller cannot be contacted), RealVNC Server automatically falls back to the authentication scheme specified by the RealVNC Server Authentication parameter.
By default, this is system authentication, and connecting users are prompted to supply the credentials of a user account valid for logging on to the RealVNC Server computer.
This should work out-of-the-box under Windows and macOS. Under Linux, however, connecting users are only able to supply the credentials of local user accounts by default. To enable connecting users to supply their own credentials (that is, of domain accounts), you must pre-configure RealVNC Server.
Troubleshooting
macOS
/System/Library/CoreServices/Directory Utility.app
) to ascertain the service principal name of the computer as it is registered with the domain controller, for example:
Assign the dsAttrTypeNative:servicePrincipalName
‘host’ value to the RealVNC Server KerberosPrincipalName parameter, so in this case host/users-macbook-p.dev.realvnc.ltd
.
Setting up the RealVNC Viewer desktop computer
You cannot connect using Single sign-on from a device running RealVNC Viewer for Mobile
Perform the following steps:
-
Make sure the computer is joined to the same domain as the RealVNC Server computer.
-
Make sure the RealVNC Viewer user logs on to their computer using the credentials of a domain account.
- Under Windows, skip to step 6.
-
Under Linux or macOS, obtain a GSSAPI-compatible library.
Note that a suitable library may already be present on your system.
For example,/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so
under Ubuntu; or/usr/lib/sasl2/libgssapiv2.2.so
under macOS.
Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory. -
Under Linux or macOS, create an
/etc/vnc/ssolib
symbolic link pointing to the location of the GSSAPI-compatible library (above). -
Make sure RealVNC Viewer is set to prefer SSO, either by:
- Turning on Authenticate using single sign-on (SSO) if possible in the RealVNC Viewer Properties dialog for the connection.
- Setting the RealVNC Viewer SingleSignOn parameter to
TRUE
.
Comments
Article is closed for comments.