VNC Server 7.1.0 introduces native Duo support
Click here to learn more
This article provides the steps for a basic set up to enable VNC Server to require 2FA for all connections. This is achieved using VNC Server's RADIUS authentication with Duo's Authentication Proxy software. For more information about Duo, click here.
This guide was written using Windows as the operating system for Duo Authentication Proxy and VNC Server. Any operating system can be used for VNC Viewer, including VNC Viewer for Mobile.
Please note that RealVNC cannot provide support for configuration of Duo Proxy, the below guide is intended as a starter guide only. For help with Duo or Duo Proxy, please contact Duo.
If you have a single VNC Server, Duo Authentication Proxy can be installed on the same computer as VNC Server.
If you have multiple VNC Servers, Duo Authentication Proxy only needs to be installed on one of the VNC Server computers.
Part 1 - Duo Account, Duo Application and Duo Users
Sign up for a Duo account
- Sign up for a Duo account: https://signup.duo.com/
- After you have verified your account you will be prompted to set a password and (optionally) enable Duo Push for admin access. Complete these steps and you will be taken to the Admin Dashboard
Add RADIUS as a Protected Application
- In the Admin Dashboard, click Applications, then click Protect an Application
- Search for RADIUS and click Protect next to the RADIUS option (padlock icon)
- On the next screen, you will be shown an Integration key, Secret key, and API hostname. You will need these when configuring Duo Authentication Proxy (below)
Add Users
Admin Dashboard
- In the Admin Dashboard, click Users, then click Add User
- Enter the username of the user to add
This should match the username you use when connecting to VNC Server - Fill in your full name and email address and click Save Changes
- At the top, click Send Enrolment Email and then Log Out of Duo Admin by clicking your name in the top right corner
User Enrolment
- Click the link in the enrolment email once you have received it
- Follow the on-screen prompts to complete enrolment process by installing Duo Mobile on your Android/iOS device
Part 2 - Duo Authentication Proxy
Installing Duo Authentication Proxy
-
Download the most recent Authentication Proxy for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe
Note that the actual filename will reflect the version e.g. duoauthproxy-5.4.0.exe. View checksums for Duo downloads here - Run the Authentication Proxy installer and follow the on-screen prompts
- When the installer finishes, clear the "Open Authentication Proxy configuration file" checkbox and click Finish
Further information about installation can be found here: https://duo.com/docs/authproxy-reference#installation
Configuring Duo Authentication Proxy
- Open Notepad as Administrator by searching for Notepad in the Start Menu, then right click the Notepad app result and click Run as administrator
- Click File then click Open and navigate to C:\Program Files\Duo Security Authentication Proxy\conf
- Change the dropdown in the bottom right from Text Documents to All Files.
- Double-click the authproxy.cfg file to open it
- Locate the [radius_server_auto] section, and change it to [radius_server_challenge]
- Configure the settings listed in authproxy.cfg as per the below:
-
ikey
Set this using the Integration key for the RADIUS application from the Duo Admin Dashboard -
skey
Change skey to skey_protected
Next, open Command Prompt from the Start Menu and run the following command (including the quotes): "C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_passwd.exe" mysecretkey
(where mysecretkey is the Secret key for the RADIUS application from the Duo Admin Dashboard)
This will generate a long string. Copy this and paste it after skey_protected= , e.g. skey_protected=xxxYYYzzz -
api_host
Set this using the API hostname for the RADIUS application from the Duo Admin Dashboard -
radius_ip_1
If you have a single VNC Server, set radius_ip_1 to IP address of the VNC Server computer, e.g. radius_ip_1=192.168.1.10/32
If you have multiple VNC Servers, set radius_ip_1 to the IP address subnet of your network, e.g. radius_ip_1=192.168.1.1/24 -
radius_secret_1
Change radius_secret_1 to radius_secret_protected_1
This is the secret that you will also use in VNC Server. Choose a secret that you want to use and make a note of it, you will need it when you configure VNC Server.
Next, open Command Prompt from the Start Menu and run the following command (including the quotes): "C:\Program Files\Duo Security Authentication Proxy\bin\authproxy_passwd.exe"
Type in the secret that you chose above, and re-enter it when prompted. This will generate a long string. Copy this and paste it after radius_secret_protected_1= , e.g. radius_secret_protected_1=xxxYYYzzz -
failmode
Change failmode=safe to failmode=secure -
client
Change client=ad_client to client=duo_only_client - Add a new line below port=1812 that reads: prompt_format=console
Note: for Duo Proxy 5.4.0 and earlier, use prompt_form=console
-
ikey
- Add a blank line after prompt_format=console, and then add another new line that reads: [duo_only_client]
- Save and close the file
- Open Services.msc from the Start Menu, locate the Duo Security Authentication Proxy Service and (re)start it. If you receive an error, please check your configuration file.
Further information about configuration can be found here: https://duo.com/docs/authproxy-reference#configuration
Part 3 - VNC Server
Configuring VNC Server
- Open VNC Server's Options
- Change the Authentication dropdown to Windows password + RADIUS authentication
- Click Set up VNC Server for RADIUS...
- Configure the settings shown as per the below:
-
RADIUS server
This is the IP address of the computer running Duo Authentication Proxy, e.g. 192.168.1.10 -
RADIUS secret
This is the RADIUS secret that you chose earlier when configuring Duo Authentication Proxy. This should be entered as the plain text secret and not the converted secret saved in authproxy.cfg -
Client IP address
Left blank -
VNC Viewer prompt
Left blank - delete the default prompt -
Authentication protocol
Set to PAP -
Timeout
Leave as 60
-
RADIUS server
- Click OK, then click Apply followed by OK to close the Options window
Part 4 - VNC Viewer
Connecting
- Connect to your VNC Server as normal using VNC Viewer
- Enter your username and password for the remote computer, i.e. your Windows username and password
- You will see a prompt for your 2FA login
- You can either
- Enter a passcode from the Duo Mobile app
- Receive a push notification to approve/deny the login attempt
- Receive an SMS passcode to enter
- After successfully authenticating via Duo, you will be connected to your VNC Server
Comments
Article is closed for comments.