What is Smartcard/Certificate Store Authentication?
If you have a suitable subscription, you can specify smartcard/certificate store authentication for RealVNC Server instead of System Authentication. This means that connecting RealVNC Viewer users are transparently authenticated using a digital certificate they own, without having to enter a password.
*You can combine this authentication scheme with others in order to specify multi-factor authentication for RealVNC Server.
Note the following requirements:
- The RealVNC Server computer must be joined to a domain managed by Active Directory/LDAP.
- Each device running RealVNC Viewer must have access to an X.509 digital certificate, stored on a pluggable smartcard or authentication token (desktop only), or in a suitable certificate store on the device.
- The X.509 certificate issued to each RealVNC Viewer user must meet the specification detailed under Setting up the RealVNC Viewer desktop computer.
- The user account of each prospective RealVNC Viewer user must be registered with RealVNC Server, and suitable session permissions assigned.
Setting up the RealVNC Server computer
Configure Active Directory/LDAP
Make sure the computer is joined to a domain managed by Active Directory/LDAP and a suitable certificate management/enrollment service, such as Active Directory Certificate Services, on at least one domain controller.
Configure RealVNC Server
- Open RealVNC Server’s Options > Security page and select Smartcard/certificate store from the Authentication dropdown.
- Register the user accounts of all prospective RealVNC Viewer users with RealVNC Server, either by
- Opening RealVNC Server’s Options > Users & Permissions page and following these instructions.
- Setting the RealVNC Server Permissions parameter.
Note prior configuration is required to register domain accounts under Linux. You may also need to qualify usernames with the domain name, for example:DEV.ACMECORP.COM\johndoe
.
Linux and macOS
-
Under Linux, configure RealVNC Server to identify the domain controller hosting the LDAP server.
Either set the RealVNC Server LdapCertificateUserStore, LdapCertificateIntermediateStore and LdapCertificateTrustStore parameters, or configure the LDAP server itself by addingHOST <your DC>
to the LDAP library’s configuration file. This file can typically be found in the below location:
Ubuntu:/etc/ldap/ldap.conf
CentOS/RHEL:/etc/openldap/ldap.conf
-
Under Linux and macOS, obtain a LDAP-compatible library.
Note that a suitable library may already be present on your system, for example:
Ubuntu:/usr/lib/x86_64-linux-gnu/libldap-2.4.so.2
CentOS/RHEL:/lib64/libldap-2.4.so.2
macOS:/usr/lib/libldap.dylib
Alternatively, you may be able to obtain one by installing third party software such as PowerBroker Identity Services or Centrify, designed to integrate with Active Directory. -
Under Linux, create an
/etc/vnc/ldaplib
symbolic link pointing to the location of the LDAP-compatible library (above). If third party software is installed, make sure the symbolic link points to the third party version and not the system version.*This symbolic link is also required under Mac but VNC Server should create it for you at install-time (providing
libldap.dylib
can be found). -
Under Linux, create
/etc/vnc/kinit
and/etc/vnc/klist
symbolic links pointing to/usr/bin/kinit
and/usr/bin/klist
respectively.
If third party software is installed, make sure the symbolic links point to the third party versions and not the system versions.*These symbolic links are also required under Mac but VNC Server should create them for you at install-time.
Setting up the VNC Viewer device
Create a suitable X.509 certificate for the RealVNC Viewer user
Active Directory Certificate Services is recommended:
- Use an RSA key, or an ECDSA key with a P-256, P-384 or P-521 curve.
- Specify the
Client Authentication
Extended Key Usage (or no key usages). The OID for this usage is1.3.6.1.5.5.7.3.2
. Note under Windows, RealVNC Viewer will skip certificates if this key usage has been disabled via Windows key usage properties. - Make sure RealVNC Viewer can extract the user account name from the certificate. By default, the name is extracted in “User-Principal Name” format (UPN), either from the certificate’s User Principal Name (stored as a
Subject Alternative Name
with OID1.3.6.1.4.1.311.20.2.3
) or from an email address stored as a Subject Alternative Name (RFC 822 name). You can set the RealVNC ViewerCertificateUsername
parameter to customize user name mapping.
Provision the device with the certificate
Desktops (Windows, macOS and Linux)
Under Windows, no setup is required to enable RealVNC Viewer to load certificates from a smartcard/token.
Under macOS, no set up is required providing the smartcard/token is supported by Apple’s CryptoKit drivers.
Under Linux, you must use a PKCS #11 library to enable RealVNC Viewer to load certificates, such as those provided by the OpenSC project. To do this, set the RealVNC Viewer Pkcs11Lib
parameter to the full path of the library, for example /usr/lib/opensc-pkcs11.so
.
If the certificate will reside in a certificate store on the computer itself, make sure:
- Under Windows, the certificate is in the Personal > Certificates store (using a tool such as
certmgr.msc
). - Under macOS, the certificate is in the login keychain.
- Under Linux, please contact Support to see how to load certificates from a certificate store.
If the RealVNC Viewer user will plug a smartcard or authentication token into the computer to provide the certificate, make sure that person knows the PIN for the smartcard/token.
Using YubiKey in your environment?
We have a dedicated guide for setting up a YubiKey with Smartcard/Certificate Store authentication. See How do I use a YubiKey to connect to a VNC Server using Certificate authentication?
Mobile Devices (Android and iOS)
Export or convert your certificate to PKCS #12 format (with either a .pfx extension or .p12), then follow the steps below for your platform. Once imported, you can view a list of installed certificates using the Certificates option in the Settings menu.
Android
- Download the certificate file to your device.
- Locate the certificate file, and then tap it to install it as an App Certificate on your device, entering the passphrase used when exporting the certificate.
- Open RealVNC Viewer, then navigate to the Settings menu via the menu button in the top left.
- Tap Import Certificates, and select your certificate from the list of certificate(s) listed.
- The certificate is now ready for use by RealVNC Viewer.
iOS
- Connect your iOS device to a Windows or Mac computer and open iTunes.
- Use the File Sharing section to transfer the certificate file to your device.
- Once the certificate file has been transferred, open RealVNC Viewer and navigate to Settings via the menu button in the top left.
- Tap Certificates, then Import Certificates. Enter the passphrase used when exporting the certificate.
- The certificate is now ready for use by RealVNC Viewer.
Check RealVNC Viewer is set to prefer smartcard/certificate store authentication (desktops only)
This can be enabled either by:
- Turning on Authenticate using a smartcard or certificate store if possible in the RealVNC Viewer Properties dialog for connections to the RealVNC Server computer.
- Setting the RealVNC Viewer AuthCertificate parameter to
<auto>
.
Comments
Article is closed for comments.