Setting up Single sign-on Authentication

Follow

SSO-Legacy.png
SSO.png

Single Sign-on authentication for RealVNC Server is not related to the RealVNC Account SSO feature.

By specifying Single sign-on authentication for RealVNC Server instead of system authentication, this means that connecting RealVNC Viewer users can be transparently authenticated by on-premise secure network services (Kerberos), without having to enter a password.

VNC_Server_Options_Dialog_SingleSignOn_Authentication.png

Note the following requirements, which may mean that SSO is unsuitable for use in a home or small office environment:

  • The RealVNC Server computer must be joined to a domain managed by Active Directory.
  • Each desktop computer running RealVNC Viewer must be joined to the same domain. Note you cannot connect from a device running RealVNC Viewer for Mobile.
  • Each RealVNC Viewer user must log on to their desktop computer using the credentials of a domain account; that is, of a user account managed by the domain controller.
  • The user account of each prospective RealVNC Viewer user must be registered with RealVNC Server, and suitable session permissions assigned.

By default, note that a fallback scheme is defined in case SSO fails for any reason.

You can combine this authentication scheme with others in order to specify multi-factor authentication for RealVNC Server.

Setting up the RealVNC Server computer

Configuring Single Sign-on

Perform the following steps:

  1. Make sure the computer is joined to a domain.

  2. Specify this authentication scheme, either by:

    1. Opening RealVNC Server’s Options > Security page and selecting Single sign-on from the Authentication dropdown.
    2. Setting the RealVNC Server Authentication parameter.
  3. Under Windows, skip to step 6.
  4. Under Linux or macOS, obtain a GSSAPI-compatible library.
    Note that a suitable library may already be present on your system.
    For example,
    /usr/lib/x86_64-linux-gnu/libgssapi_krb5.sounder Ubuntu; or
    /usr/lib/sasl2/libgssapiv2.2.so under macOS.

    Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  5. Under Linux or macOS, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  6. Register the domain accounts of all prospective RealVNC Viewer users with RealVNC Server, either by:

    1. Opening RealVNC Server’s Options > Users & Permissions page and following these instructions.
    2. Setting the RealVNC Server Permissions parameter.

    Note prior configuration is required to register domain accounts under Linux. You may also need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.

Providing a fallback scheme

If SSO fails for any reason (for example, the domain controller cannot be contacted), RealVNC Server automatically falls back to the authentication scheme specified by the RealVNC Server Authentication parameter.

By default, this is system authentication, and connecting users are prompted to supply the credentials of a user account valid for logging on to the RealVNC Server computer.

This should work out-of-the-box under Windows and macOS. Under Linux, however, connecting users are only able to supply the credentials of local user accounts by default. To enable connecting users to supply their own credentials (that is, of domain accounts), you must pre-configure RealVNC Server.

Troubleshooting

macOS

If you experience issues authenticating with SSO on macOS, there may be a mismatch between the expected and actual values for Kerberos principals. To check if this is the case, use Directory Utility (/System/Library/CoreServices/Directory Utility.app) to ascertain the service principal name of the computer as it is registered with the domain controller, for example:

Indent1_mac_sso_directory_utility.png

Assign the dsAttrTypeNative:servicePrincipalName ‘host’ value to the RealVNC Server KerberosPrincipalName parameter, so in this case host/users-macbook-p.dev.realvnc.ltd.

Setting up the RealVNC Viewer desktop computer

You cannot connect using Single sign-on from a device running RealVNC Viewer for Mobile

Perform the following steps:

  1. Make sure the computer is joined to the same domain as the RealVNC Server computer.

  2. Make sure the RealVNC Viewer user logs on to their computer using the credentials of a domain account.

  3. Under Windows, skip to step 6.
  4. Under Linux or macOS, obtain a GSSAPI-compatible library.

    Note that a suitable library may already be present on your system.
    For example,
    /usr/lib/x86_64-linux-gnu/libgssapi_krb5.sounder Ubuntu; or
    /usr/lib/sasl2/libgssapiv2.2.so under macOS.

    Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  5. Under Linux or macOS, create an /etc/vnc/ssolib symbolic link pointing to the location of the GSSAPI-compatible library (above).

  6. Make sure RealVNC Viewer is set to prefer SSO, either by:

    1. Turning on Authenticate using single sign-on (SSO) if possible in the RealVNC Viewer Properties dialog for the connection.
    2. Setting the RealVNC Viewer SingleSignOn parameter to TRUE.
Was this article helpful?
6 out of 18 found this helpful

Comments

0 comments

Article is closed for comments.