This article provides the steps for a basic set up with VNC Server to require 2FA for all connections. This is achieved using VNC Server's native Duo authentication which was added in VNC Server 7.1.0.
Please note that native Duo authentication is only available on certain subscription types. If you do not see an option for Duo authentication in the Authentication dropdown in VNC Server's Options after installing VNC Server 7.1.0, please contact our Sales team to discuss adding native Duo to your subscription.
Please note that RealVNC cannot provide support for configuration of Duo. For help with Duo, please contact Duo. For more information about Duo, click here.
Part 1 - Duo Account, Duo Application and Duo Users
Sign up for a Duo account
- Sign up for a Duo account: https://signup.duo.com/
- After you have verified your account you will be prompted to set a password and (optionally) enable Duo Push for admin access. Complete these steps and you will be taken to the Admin Dashboard
Add DUO Auth API as a Protected Application
- In the Admin Dashboard, click Applications, then click Protect an Application
- Search for DUO Auth API and click Protect.
- On the next screen, you will be shown an Integration key, Secret key, and API hostname.
You can rename the application by going to Applications, select DUO Auth API, scroll down to Settings and enter a new name (e.g. 'VNC Connect').
Add Users
Admin Dashboard
- In the Admin Dashboard, click Users, then click Add User
- Enter the username of the user to add
This should match the username you use when connecting to VNC Server - Fill in your full name and email address and click Save Changes
- At the top, click Send Enrolment Email and then Log Out of Duo Admin by clicking your name in the top right corner
User Enrolment
- Click the link in the enrolment email once you have received it
- Follow the on-screen prompts to complete enrolment process by installing Duo Mobile on your Android/iOS device
Part 2 - VNC Server
- Open VNC Server from the start menu or tray icon. Open the menu (three horizontal lines) and select 'Options'.
- Go to Security > Authentication and select Windows password + Duo authentication. Then select Set up VNC Server for Duo...
- Enter your Integration key, Secret key, and API hostname. You will have generated these when adding DUO Auth API as a Protected Application.
- Click OK and then Apply.
Part 3 - VNC Viewer
- Enter your credentials for VNC Server
- Select your preferred method of authentication and select 'OK'. You will then be prompted to accept/reject the request on your Duo device(s).
If the username you log into VNC Server with is different from the email address used to set up Duo, you will need to add the username as an Alias. You can do this by signing into your Duo account, clicking User, selecting Add username alias, entering your username, and saving the change.
Comments
In the event Duo is down or fails to resolve, what is the result?
It looks like this is only supported on Windows.
MacOS server does not have the option. I doubt that Linux has it either.
If we are already using interactive authentication and setup Duo ourselves, that may be easier.
System Authentication + PAM + Duo
Please sign in to leave a comment.