How do I use Duo to enable 2FA for connections to VNC Server?

Follow

This article provides the steps for a basic set up with VNC Server to require 2FA for all connections. This is achieved using VNC Server's native Duo authentication which was added in VNC Server 7.1.0.

Please note that native Duo authentication is only available on certain subscription types. If you do not see an option for Duo authentication in the Authentication dropdown in VNC Server's Options after installing VNC Server 7.1.0, please contact our Sales team to discuss adding native Duo to your subscription.

Please note that RealVNC cannot provide support for configuration of Duo. For help with Duo, please contact Duo. For more information about Duo, click here.

Part 1 - Duo Account, Duo Application and Duo Users

Sign up for a Duo account

  1. Sign up for a Duo account: https://signup.duo.com/
  2. After you have verified your account you will be prompted to set a password and (optionally) enable Duo Push for admin access. Complete these steps and you will be taken to the Admin Dashboard

Add DUO Auth API as a Protected Application

  1. In the Admin Dashboard, click Applications, then click Protect an Application
  2. Search for DUO Auth API and click Protect.
  3. On the next screen, you will be shown an Integration key, Secret key, and API hostname.

You can rename the application by going to Applications, select DUO Auth API, scroll down to Settings and enter a new name (e.g. 'VNC Connect'). 

Add Users

Admin Dashboard

  1. In the Admin Dashboard, click Users, then click Add User
  2. Enter the username of the user to add
    This should match the username you use when connecting to VNC Server
  3. Fill in your full name and email address and click Save Changes
  4. At the top, click Send Enrolment Email and then Log Out of Duo Admin by clicking your name in the top right corner

User Enrolment

  1. Click the link in the enrolment email once you have received it
  2. Follow the on-screen prompts to complete enrolment process by installing Duo Mobile on your Android/iOS device

Part 2 - VNC Server

  1. Open VNC Server from the start menu or tray icon. Open the menu (three horizontal lines) and select 'Options'.

    Server_Menu.png

    Options_Menu.png

  2. Go to Security > Authentication and select Windows password + Duo authentication. Then select Set up VNC Server for Duo...

    Authentication_.png

    VNC_Server_for_Duo.png

  3. Enter your Integration key, Secret key, and API hostname. You will have generated these when adding DUO Auth API as a Protected Application.

    Duo_Config.png


  4. Click OK and then Apply.

    Apply.png

Part 3 - VNC Viewer

  1. Enter your credentials for VNC Server

    Sign_in.png

  2. Select your preferred method of authentication and select 'OK'. You will then be prompted to accept/reject the request on your Duo device(s).

    Choose_Method.png

If the username you log into VNC Server with is different from the email address used to set up Duo, you will need to add the username as an Alias. You can do this by signing into your Duo account, clicking User, selecting Add username alias, entering your username, and saving the change.

Was this article helpful?
0 out of 0 found this helpful

Comments

3 comments
  • In the event Duo is down or fails to resolve, what is the result?

    0
    Comment actions Permalink
  • It looks like this is only supported on Windows.

    MacOS server does not have the option. I doubt that Linux has it either.

    If we are already using interactive authentication and setup Duo ourselves, that may be easier.

    0
    Comment actions Permalink
  • System Authentication + PAM + Duo

    0
    Comment actions Permalink

Please sign in to leave a comment.