How do I use Azure AD users and groups with VNC Server's System Authentication?

Follow

Summary

This article provides the steps to follow to allow you to use Azure AD (AAD) users and groups to authenticate to VNC Server on Azure AD joined devices.

Populating local security groups with Azure AD users and groups

To use AAD users and groups with VNC Server's SystemAuth, the AAD user/group must be added to a local security group on the VNC Server computer. You can use either Intune or Powershell to perform the configuration.

  • AAD users must be added using format: AzureAD\upn , e.g. AZUREAD\jacksmith@mycorp.onmicrosoft.com
  • AAD groups must be added using their SID, which you can determine by converting the group object ID using the Powershell script at the bottom of this page.

AAD groups must be added to a "built-in" security group for VNC Server to allow authentication, e.g. Administrators or Remote Desktop users. Custom security groups will not work with AAD groups. Please see bullet point 3 of this page which explains this limitation.

Intune

Intune can be leveraged to populate the local security groups with AAD users and groups using Device Configuration Profiles, as shown below.

Create a new device configuration profile

  1. Log in to https://endpoint.microsoft.com/#home
  2. Click Devices on left menu, then Configuration profiles
  3. Click Create profile
  4. Select Platform - Windows 10 and laterProfile - Custom
  5. Click Create
  6. Enter a name (e.g. VNC Security Group Configuration), click Next
  7. Configuration setting: Leave blank and click Next (we'll edit this later)
  8. Configure Assignments: Configure which group(s) to apply the policy to e.g. All devices, click Next
  9. Applicability Rules: Configure any rules to use when determining whether to apply the policy to a device or leave blank, click Next
  10. Review + create: Click Create

Populating local security groups

  1. Log in to https://endpoint.microsoft.com/#home
  2. Click Devices on left menu, then Configuration profiles, then click the profile you want to edit
  3. Click Properties
  4. Click Edit next to Configuration settings
  5. Click Add, then populate the fields as below:
    • Name: The name of the setting, e.g. Local Security Groups for VNC Connect
    • Description: An optional extended description
    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure 
    • Data Type: String
    • Value:
      <GroupConfiguration>
          <accessgroup desc = "VNC Users">
              <group action = "U"/>
                 <add member = "AzureAD\jacksmith@mycorp.onmicrosoft.com"/>
          </accessgroup>
          <accessgroup desc = "Remote Desktop Users">
              <group action = "U"/>
                  <add member = "S-1-12-1-420474827-1261262987-2980144026-3233195354"/>
          </accessgroup>
      </GroupConfiguration>

      The above example is adding the AAD user AZUREAD\jacksmith@mycorp.onmicrosoft.com to the local group VNC Users, and is adding the AAD group with SID S-1-12-1-420420627-1261603987-2980144026-3227595354 to the local group Remote Desktop Users.

  6. Click Save, then Review+Save to check the OMA-URI you just created. Click Save

Powershell

Powershell commands can be run on the VNC Server computer to create groups and add AAD users and groups as members.

New-LocalGroup -Name "VNC Users"
Add-LocalGroupMember -Group "VNC Users" -Member "AzureAD\jacksmith@mycorp.onmicrosoft.com"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "S-1-12-1-420420627-1261603987-2980144026-3227595354"

The above example is adding the AAD user AZUREAD\jacksmith@mycorp.onmicrosoft.com to the local group VNC Users, and is adding the AAD group with SID S-1-12-1-420420627-1261603987-2980144026-3227595354 to the local group Remote Desktop Users.

Verifying local group membership

Run lusrmgr.msc on the VNC Server computer, and go to Groups. Double click on a group name to view the members and you should see the users and/or groups you added.

Configuring VNC Server's Users & Permissions

VNC Server can be configured as normal by adding the local groups as shown here.

Authenticating to VNC Server

When you attempt to connect to a VNC Server and see the prompt for your username and password, complete it as below:

Username: AZUREAD\upn (e.g. AzureAD\jacksmith@mycorp.onmicrosoft.com)

Password: Your AzureAD password

Powershell script to convert Azure AD Object IDs to Windows Security Identifiers (SIDs)

### Powershell script to convert AAD Object ID to SID ###

### usage ./objectIDToSID.ps1 -objectID XXXyyyyZZZ

param ($objectId)

function Convert-AzureAdObjectIdToSid {
<#
Adapted from a script originally authored by:
Oliver Kieselbach (oliverkieselbach.com)
The script is provided "AS IS" with no warranties.

.PARAMETER ObjectID
The Object ID to convert
#>

param([String] $ObjectId)

$bytes = [Guid]::Parse($ObjectId).ToByteArray()
$array = New-Object 'UInt32[]' 4

[Buffer]::BlockCopy($bytes, 0, $array, 0, 16)
$sid = "S-1-12-1-$array".Replace(' ', '-')

return $sid
}

$sid = Convert-AzureAdObjectIdToSid -ObjectId $objectId
Write-Output $sid

### End Powershell script ###
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.