This article provides the steps for a basic set up with RealVNC Server to require 2FA for all connections. This is achieved using RealVNC Server's native Duo authentication which was added in RealVNC Server 7.1.0.
Missing the Duo authentication option in RealVNC Server?
Native Duo authentication is only available on certain subscription plans. If you do not see an option for Duo authentication in the Authentication dropdown in RealVNC Server's Options after installing RealVNC Server 7.1.0 or later, please contact our Sales team to discuss adding native Duo to your subscription.
Please note that RealVNC cannot provide support for configuration of Duo. For help with Duo, please contact Duo.
Part 1 - Duo Account, Duo Application and Duo Users
Sign up for a Duo account
- Sign up for a Duo account: https://signup.duo.com/
- After you have verified your account you will be prompted to set a password and (optionally) enable Duo Push for admin access. Complete these steps and you will be taken to the Admin Dashboard
Add DUO Auth API as a Protected Application
- In the Admin Dashboard, click Applications, then click Protect an Application
- Search for DUO Auth API (may also appear as Partner Auth API) and click Protect.
- On the next screen, you will be shown an Integration key, Secret key, and API hostname.
You can rename the application by going to Applications, select DUO Auth API, scroll down to Settings and enter a new name (e.g. 'VNC Connect').
Add Users
Admin Dashboard
- In the Admin Dashboard, click Users, then click Add User
- Enter the username of the user to add
This should match the username you use when connecting to VNC Server - Fill in your full name and email address and click Save Changes
- At the top, click Send Enrolment Email and then Log Out of Duo Admin by clicking your name in the top right corner
User Enrolment
- Click the link in the enrolment email once you have received it
- Follow the on-screen prompts to complete enrolment process by installing Duo Mobile on your Android/iOS device
Part 2 - RealVNC Server
- Open RealVNC Server from the start menu or tray icon. Open the menu (three horizontal lines) and select 'Options'.
- Go to Security > Authentication and select Windows password + Duo authentication. Then select Set up VNC Server for Duo...
- Enter your Integration key, Secret key, and API hostname. You will have generated these when adding DUO Auth API as a Protected Application.
- Click OK and then Apply.
Part 3 - RealVNC Viewer
- Enter your credentials for RealVNC Server
- Select your preferred method of authentication and select 'OK'. You will then be prompted to accept/reject the request on your Duo device(s).
If the username you log into RealVNC Server with is different from the email address used to set up Duo, you will need to add the username as an Alias. You can do this by signing into your Duo account, clicking User, selecting Add username alias, entering your username, and saving the change.
Configuring native Duo using Group Policy
After following the instructions in Part 1 (Duo Account, Duo Application, Duo Users), download and install the latest Group Policy ADMX templates.
In the Group Policy Editor, set the Authentication parameter to "SystemAuth+Duo". Then, set the DuoCredentials parameter as shown below:
https://<integration-key>:<secret-key>@<api-hostname>
The Integration key, Secret key and API hostname will be found on the Duo online Admin Dashboard; insert them into the web address to be used as the value for the DuoCredentials parameter.
Comments
In the event Duo is down or fails to resolve, what is the result?
It looks like this is only supported on Windows.
MacOS server does not have the option. I doubt that Linux has it either.
If we are already using interactive authentication and setup Duo ourselves, that may be easier.
System Authentication + PAM + Duo
Hi Mike,
Thanks for your comment. If Duo is unavailable for any reason, you would not be able to authenticate to RealVNC Server as the Duo authentication step would not be completed.
Kind regards,
Jack
If the online Duo site is down, the impact would go far beyond RealVNC.
However, given the robustness of Duo’s protocol, there is still an offline to utilize Duo.
If you go to the Duo app on iOS or Android, click on the respective account, and you can reveal a standard TOTP code that can be used.
When you want to login using Duo, option “3” will allow entry of the TOTP code.
Additionally, if Duo is down, option “2” will send a standard SMS (text message) to your phone.
Hi Jerry,
Thanks for your post - the Native Duo authentication is calling the Duo API under the hood which tells VNC Server which options are available for the authenticating user, so it can fail before you are presented with the choice of available options such as SMS or TOTP - I see such a failure when simulating an outage of Duo by blocking connectivity to it via a firewall
I hope this helps
Thanks,
Jack
This may be a good reason to use the preexisting capabilities using “Interactive System authentication”.
The can work on all platforms and can be more robust.
However, it takes more effort and is not as clean as the native VNC integration.
Given the native solution’s online reliance on Duo, I suggest you work quickly to support the offline Duo mechanisms.
Please sign in to leave a comment.