Setting up Smartcard/Certificate Store Authentication

Follow

Certificate-Legacy.png
Certificate.png

What is Smartcard/Certificate Store Authentication?

If you have a suitable subscription, you can specify smartcard/certificate store authentication for RealVNC Server instead of System Authentication. This means that connecting RealVNC Viewer users are transparently authenticated using a digital certificate they own, without having to enter a password.

*You can combine this authentication scheme with others in order to specify multi-factor authentication for RealVNC Server.

VNC_Server_Options_Dialog_Certificate_Authentication.png

Note the following requirements:

  • The RealVNC Server computer must be joined to a domain managed by Active Directory/LDAP.
  • Each device running RealVNC Viewer must have access to an X.509 digital certificate, stored on a pluggable smartcard or authentication token (desktop only), or in a suitable certificate store on the device.
  • The X.509 certificate issued to each RealVNC Viewer user must meet the specification detailed under Setting up the RealVNC Viewer desktop computer.
  • The user account of each prospective RealVNC Viewer user must be registered with RealVNC Server, and suitable session permissions assigned.

Setting up the RealVNC Server computer

Configure Active Directory/LDAP

Make sure the computer is joined to a domain managed by Active Directory/LDAP and a suitable certificate management/enrollment service, such as Active Directory Certificate Services, on at least one domain controller.

Configure RealVNC Server

  1. Open RealVNC Server’s Options > Security page and select Smartcard/certificate store from the Authentication dropdown.
  2. Register the user accounts of all prospective RealVNC Viewer users with RealVNC Server, either by
    • Opening RealVNC Server’s Options > Users & Permissions page and following these instructions.
    • Setting the RealVNC Server Permissions parameter.
      Note prior configuration is required to register domain accounts under Linux. You may also need to qualify usernames with the domain name, for example: DEV.ACMECORP.COM\johndoe.

Linux and macOS

  1. Under Linux, configure RealVNC Server to identify the domain controller hosting the LDAP server.

    Either set the RealVNC Server LdapCertificateUserStore, LdapCertificateIntermediateStore and LdapCertificateTrustStore  parameters, or configure the LDAP server itself by adding HOST <your DC> to the LDAP library’s configuration file. This file can typically be found in the below location:
    Ubuntu: /etc/ldap/ldap.conf
    CentOS/RHEL: /etc/openldap/ldap.conf

  2. Under Linux and macOS, obtain a LDAP-compatible library.

    Note that a suitable library may already be present on your system, for example:
    Ubuntu: /usr/lib/x86_64-linux-gnu/libldap-2.4.so.2
    CentOS/RHEL: /lib64/libldap-2.4.so.2
    macOS: /usr/lib/libldap.dylib

    Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.

  3. Under Linux, create an /etc/vnc/ldaplib symbolic link pointing to the location of the LDAP-compatible library (above). If third party software is installed, make sure the symbolic link points to the third party version and not the system version.

    *This symbolic link is also required under Mac but VNC Server should create it for you at install-time (providing libldap.dylib can be found).

  4. Under Linux, create /etc/vnc/kinit and /etc/vnc/klist symbolic links pointing to /usr/bin/kinit and /usr/bin/klistrespectively.

    If third party software is installed, make sure the symbolic links point to the third party versions and not the system versions.

    *These symbolic links are also required under Mac but VNC Server should create them for you at install-time.

Setting up the VNC Viewer device

Create a suitable X.509 certificate for the RealVNC Viewer user

Active Directory Certificate Services is recommended:

  • Use an RSA key, or an ECDSA key with a P-256, P-384 or P-521 curve.
  • Specify the Client Authentication Extended Key Usage (or no key usages). The OID for this usage is 1.3.6.1.5.5.7.3.2. Note under Windows, RealVNC Viewer will skip certificates if this key usage has been disabled via Windows key usage properties.
  • Make sure RealVNC Viewer can extract the user account name from the certificate. By default, the name is extracted in “User-Principal Name” format (UPN), either from the certificate’s User Principal Name (stored as a Subject Alternative Name with OID 1.3.6.1.4.1.311.20.2.3) or from an email address stored as a Subject Alternative Name (RFC 822 name). You can set the RealVNC Viewer CertificateUsername parameter to customize user name mapping.

Provision the device with the certificate

Desktops (Windows, macOS and Linux)

Under Windows, no setup is required to enable RealVNC Viewer to load certificates from a smartcard/token.

Under macOS, no set up is required providing the smartcard/token is supported by Apple’s CryptoKit drivers.

Under Linux, you must use a PKCS #11 library to enable RealVNC Viewer to load certificates, such as those provided by the OpenSC project. To do this, set the RealVNC Viewer Pkcs11Lib parameter to the full path of the library, for example /usr/lib/opensc-pkcs11.so.

If the certificate will reside in a certificate store on the computer itself, make sure:

  • Under Windows, the certificate is in the Personal > Certificates store (using a tool such as certmgr.msc).
  • Under macOS, the certificate is in the login keychain.
  • Under Linux, please contact Support to see how to load certificates from a certificate store.

If the RealVNC Viewer user will plug a smartcard or authentication token into the computer to provide the certificate, make sure that person knows the PIN for the smartcard/token.

Using YubiKey in your environment?

We have a dedicated guide for setting up a YubiKey with Smartcard/Certificate Store authentication. See How do I use a YubiKey to connect to a VNC Server using Certificate authentication?

Mobile Devices (Android and iOS)

Export or convert your certificate to PKCS #12 format (with either a .pfx extension or .p12), then follow the steps below for your platform. Once imported, you can view a list of installed certificates using the Certificates option in the Settings menu.

Android

  1. Download the certificate file to your device.
  2. Locate the certificate file, and then tap it to install it as an App Certificate on your device, entering the passphrase used when exporting the certificate.
  3. Open RealVNC Viewer, then navigate to the Settings menu via the menu button in the top left.
  4. Tap Import Certificates, and select your certificate from the list of certificate(s) listed.
  5. The certificate is now ready for use by RealVNC Viewer.

iOS

  1. Connect your iOS device to a Windows or Mac computer and open iTunes.
  2. Use the File Sharing section to transfer the certificate file to your device.
  3. Once the certificate file has been transferred, open RealVNC Viewer and navigate to Settings via the menu button in the top left.
  4. Tap Certificates, then Import Certificates. Enter the passphrase used when exporting the certificate.
  5. The certificate is now ready for use by RealVNC Viewer.

Check RealVNC Viewer is set to prefer smartcard/certificate store authentication (desktops only)

 This can be enabled either by:

  • Turning on Authenticate using a smartcard or certificate store if possible in the RealVNC Viewer Properties dialog for connections to the RealVNC Server computer.
  • Setting the RealVNC Viewer AuthCertificate parameter to <auto>.
Was this article helpful?
36 out of 45 found this helpful

Comments

0 comments

Article is closed for comments.