Can tightVNC use Active directory on Windows?
6,489 views
Skip to first unread message
William Muriithi
Mar 3, 2017, 1:18:25 PM3/3/17
to tigervn...@googlegroups.com
Hello,
I have scanned though an number of tightVNC documentation and can't
find the information that I am looking for. I have a Window 8 based
system that I have installed VNC and looking at using Active directory
to authenticate VNC sessions.
I have seen way to link tightVNC to AD on Linux, but seem very few
people have attempted to use tightVNC on Windows. Is such setup
possible with the most recent tightVNC build for Windows?
Regards,
William
I have scanned though an number of tightVNC documentation and can't
find the information that I am looking for. I have a Window 8 based
system that I have installed VNC and looking at using Active directory
to authenticate VNC sessions.
I have seen way to link tightVNC to AD on Linux, but seem very few
people have attempted to use tightVNC on Windows. Is such setup
possible with the most recent tightVNC build for Windows?
Regards,
William
Pierre Ossman
Mar 6, 2017, 1:44:07 AM3/6/17
to William Muriithi, tigervn...@googlegroups.com
But yes, you should be able to authenticate using system accounts in
WinVNC. You need to enable the "Plain" authentication type for that.
Regards
--
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
William Muriithi
Jun 1, 2017, 6:10:07 PM6/1/17
to Pierre Ossman, tigervn...@googlegroups.com
Hi Pierre,
>>
>> I have seen way to link tightVNC to AD on Linux, but seem very few
>> people have attempted to use tightVNC on Windows. Is such setup
>> possible with the most recent tightVNC build for Windows?
>>
>
> I'm going to assume you mean TigerVNC, and not TightVNC. :)
>
> But yes, you should be able to authenticate using system accounts in WinVNC. You need to enable the "Plain" authentication type for that.
>
Thanks for the response. Apologies for mixing tigerVNC and tightVNC.
That's worth a beating I agree. This is a bit old, but have I have
not managed to get it working with AD. I was re-looking at it today
and thought it may not hurt if I ask for more details. I have googled
extensively, but only info out there seem to be Linux based and don't
match what I see when I installed on Windows.
First, I have installed VNC server from this URL.
http://tigervnc.bphinz.com/nightly/windows/tigervnc64-1.8.80.exe.
Would this be the recommended binary from your point of view?
Currently, the only option for authentication that I see if "none" and
"standard VNC" So if I choose none, I am not able to login at all.
If I choose none and standard VNC, I get and prompted for password
alone, no username
So I went to the client side and disabled "none" and "standard VNC"
and left only "username and password". I then get an error "No valid
VeNCrypt sub-type". To me, this looks like a feature is missing on
the installed VNC server. Would this be correct? Where would one
pick a binary that the full features?
Its also not clear how to specify that tigerVNC should use system
account. I went under services -> properties -> Log on and under
that, I see log on "Local System account " or "This account" and I
choose the former? Would this be the correct procedure?
Lastly, I am also struggling on how to get the logs to see if I can
fix the issue. Would anyone know where tigerVNC drop the logs on
Windows? Would really appreciate any assistance
Regards
William
>>
>> I have seen way to link tightVNC to AD on Linux, but seem very few
>> people have attempted to use tightVNC on Windows. Is such setup
>> possible with the most recent tightVNC build for Windows?
>>
>
> I'm going to assume you mean TigerVNC, and not TightVNC. :)
>
> But yes, you should be able to authenticate using system accounts in WinVNC. You need to enable the "Plain" authentication type for that.
>
That's worth a beating I agree. This is a bit old, but have I have
not managed to get it working with AD. I was re-looking at it today
and thought it may not hurt if I ask for more details. I have googled
extensively, but only info out there seem to be Linux based and don't
match what I see when I installed on Windows.
First, I have installed VNC server from this URL.
http://tigervnc.bphinz.com/nightly/windows/tigervnc64-1.8.80.exe.
Would this be the recommended binary from your point of view?
Currently, the only option for authentication that I see if "none" and
"standard VNC" So if I choose none, I am not able to login at all.
If I choose none and standard VNC, I get and prompted for password
alone, no username
So I went to the client side and disabled "none" and "standard VNC"
and left only "username and password". I then get an error "No valid
VeNCrypt sub-type". To me, this looks like a feature is missing on
the installed VNC server. Would this be correct? Where would one
pick a binary that the full features?
Its also not clear how to specify that tigerVNC should use system
account. I went under services -> properties -> Log on and under
that, I see log on "Local System account " or "This account" and I
choose the former? Would this be the correct procedure?
Lastly, I am also struggling on how to get the logs to see if I can
fix the issue. Would anyone know where tigerVNC drop the logs on
Windows? Would really appreciate any assistance
Regards
William
DRC
Jun 1, 2017, 7:38:18 PM6/1/17
to tigervn...@googlegroups.com
think you need the UltraVNC Viewer in order to use that feature--
because UltraVNC doesn't support VeNCrypt and thus uses its own security
selector (rfbUltraVNC) in order to transmit the AD authentication
credentials from the viewer. A cursory examination of the UltraVNC
Viewer code suggests that their authentication protocol encrypts the
username & password using DH-- similarly to how VncAuth encrypts the VNC
password-- but this is only marginally more secure than plain text,
since DH encryption has been cracked.
Long and the short of it-- the TigerVNC Server probably needs to be
extended to support AD authentication, but I wonder aloud whether it
would be easier to just add VeNCrypt support to the UltraVNC Server.
That server now supports the TurboVNC encoding enhancements and thus
should perform as well as TigerVNC.
William Muriithi
Jun 2, 2017, 7:03:29 AM6/2/17
to tigervn...@googlegroups.com
Hi DRC,
> > account. I went under services -> properties -> Log on and under
> > that, I see log on "Local System account " or "This account" and I
> > choose the former? Would this be the correct procedure?
>
> The UltraVNC Server has an AD authentication feature, but currently I
> think you need the UltraVNC Viewer in order to use that feature--
> because UltraVNC doesn't support VeNCrypt and thus uses its own security
> selector (rfbUltraVNC) in order to transmit the AD authentication
> credentials from the viewer. A cursory examination of the UltraVNC
> Viewer code suggests that their authentication protocol encrypts the
> username & password using DH-- similarly to how VncAuth encrypts the VNC
> password-- but this is only marginally more secure than plain text,
> since DH encryption has been cracked.
Really appreciate you took an effort to recommend another solution
that is known to work
>
> Long and the short of it-- the TigerVNC Server probably needs to be
> extended to support AD authentication, but I wonder aloud whether it
> would be easier to just add VeNCrypt support to the UltraVNC Server.
> That server now supports the TurboVNC encoding enhancements and thus
> should perform as well as TigerVNC.
Thanks, my preference was tigerVNC as I use it on Linux, but I guess
its not the right solution for Windows platform. Will give UltraVNC a
short today and update the list on how it goes
Regards,
William
> > account. I went under services -> properties -> Log on and under
> > that, I see log on "Local System account " or "This account" and I
> > choose the former? Would this be the correct procedure?
>
> The UltraVNC Server has an AD authentication feature, but currently I
> think you need the UltraVNC Viewer in order to use that feature--
> because UltraVNC doesn't support VeNCrypt and thus uses its own security
> selector (rfbUltraVNC) in order to transmit the AD authentication
> credentials from the viewer. A cursory examination of the UltraVNC
> Viewer code suggests that their authentication protocol encrypts the
> username & password using DH-- similarly to how VncAuth encrypts the VNC
> password-- but this is only marginally more secure than plain text,
> since DH encryption has been cracked.
that is known to work
>
> Long and the short of it-- the TigerVNC Server probably needs to be
> extended to support AD authentication, but I wonder aloud whether it
> would be easier to just add VeNCrypt support to the UltraVNC Server.
> That server now supports the TurboVNC encoding enhancements and thus
> should perform as well as TigerVNC.
its not the right solution for Windows platform. Will give UltraVNC a
short today and update the list on how it goes
Regards,
William
DRC
Jun 2, 2017, 2:32:57 PM6/2/17
to tigervn...@googlegroups.com
On 6/2/17 6:03 AM, William Muriithi wrote:
> Thanks, my preference was tigerVNC as I use it on Linux, but I guess
> its not the right solution for Windows platform. Will give UltraVNC a
> short today and update the list on how it goes
TigerVNC's WinVNC implementation works, but I'm pretty sure the primary
> Thanks, my preference was tigerVNC as I use it on Linux, but I guess
> its not the right solution for Windows platform. Will give UltraVNC a
> short today and update the list on how it goes
TigerVNC developers would agree with my assessment that it doesn't
receive the same attention as Xvnc, since none of those developers use
WinVNC in their own products or deployments. My project is peripheral
to TigerVNC, since it shares some of the same viewer code, as well as
vanilla C ports of some of the server code, but I also don't use WinVNC
and have opted to support the UltraVNC Server and Repeater with my
viewers instead of providing my own WinVNC solution.
Barring the possibility of adding VeNCrypt support to the UltraVNC
Server (which might incur political hurdles with the UltraVNC
developers), another possibility would be adding viewer support for the
UltraVNC security selector. That is straightforward, but it would
require a lot of testing, since the authentication selection and
fallback logic is a bit complex (particularly in the case of my viewer,
since it supports not only VeNCrypt but also the TightVNC security
selector.)
In my experience, the TightVNC v2.x Server is the most feature-rich and
seems to do the best job of keeping abreast of changes in new Windows
releases, but their server is also really slow. The UltraVNC Server has
the best balance of features and performance.
DRC
William Muriithi
Jun 3, 2017, 1:24:02 PM6/3/17
to tigervn...@googlegroups.com
Hi,
> > username & password using DH-- similarly to how VncAuth encrypts the VNC
> > password-- but this is only marginally more secure than plain text,
> > since DH encryption has been cracked.
>
> Really appreciate you took an effort to recommend another solution
> that is known to work
>
hours on just one attempt without any lack. Something may be wrong
with the build or just not working for Windows 10, but worked for a
previous Windows version.
Would still be interested in knowing how to get around it someday if
someone share any lead
> Barring the possibility of adding VeNCrypt support to the UltraVNC
> Server (which might incur political hurdles with the UltraVNC
> developers), another possibility would be adding viewer support for the
> UltraVNC security selector. That is straightforward, but it would
> require a lot of testing, since the authentication selection and
> fallback logic is a bit complex (particularly in the case of my viewer,
> since it supports not only VeNCrypt but also the TightVNC security
> selector.)
>
Thanks, this worked perfectly. In less than 15 minutes, I was able to
use AD account. I am tunnelling the traffic over Windows openSSH to
compensate for the lack of adequate security for traffic in transit
Regards,
William
> > username & password using DH-- similarly to how VncAuth encrypts the VNC
> > password-- but this is only marginally more secure than plain text,
> > since DH encryption has been cracked.
>
> Really appreciate you took an effort to recommend another solution
> that is known to work
>
> > would be easier to just add VeNCrypt support to the UltraVNC Server.
> > That server now supports the TurboVNC encoding enhancements and thus
> > should perform as well as TigerVNC.
>
> > That server now supports the TurboVNC encoding enhancements and thus
> > should perform as well as TigerVNC.
>
> Thanks, my preference was tigerVNC as I use it on Linux, but I guess
> its not the right solution for Windows platform. Will give UltraVNC a
> short today and update the list on how it goes
>
>
> On 6/2/17 6:03 AM, William Muriithi wrote:
> > Thanks, my preference was tigerVNC as I use it on Linux, but I guess
> > its not the right solution for Windows platform. Will give UltraVNC a
> > short today and update the list on how it goes
>
> TigerVNC's WinVNC implementation works, but I'm pretty sure the primary
> TigerVNC developers would agree with my assessment that it doesn't
> receive the same attention as Xvnc, since none of those developers use
> WinVNC in their own products or deployments. My project is peripheral
> to TigerVNC, since it shares some of the same viewer code, as well as
> vanilla C ports of some of the server code, but I also don't use WinVNC
> and have opted to support the UltraVNC Server and Repeater with my
> viewers instead of providing my own WinVNC solution.
>
I understand now. I gave it a serious look, spending easily over two
> its not the right solution for Windows platform. Will give UltraVNC a
> short today and update the list on how it goes
>
>
> On 6/2/17 6:03 AM, William Muriithi wrote:
> > Thanks, my preference was tigerVNC as I use it on Linux, but I guess
> > its not the right solution for Windows platform. Will give UltraVNC a
> > short today and update the list on how it goes
>
> TigerVNC's WinVNC implementation works, but I'm pretty sure the primary
> TigerVNC developers would agree with my assessment that it doesn't
> receive the same attention as Xvnc, since none of those developers use
> WinVNC in their own products or deployments. My project is peripheral
> to TigerVNC, since it shares some of the same viewer code, as well as
> vanilla C ports of some of the server code, but I also don't use WinVNC
> and have opted to support the UltraVNC Server and Repeater with my
> viewers instead of providing my own WinVNC solution.
>
hours on just one attempt without any lack. Something may be wrong
with the build or just not working for Windows 10, but worked for a
previous Windows version.
Would still be interested in knowing how to get around it someday if
someone share any lead
> Barring the possibility of adding VeNCrypt support to the UltraVNC
> Server (which might incur political hurdles with the UltraVNC
> developers), another possibility would be adding viewer support for the
> UltraVNC security selector. That is straightforward, but it would
> require a lot of testing, since the authentication selection and
> fallback logic is a bit complex (particularly in the case of my viewer,
> since it supports not only VeNCrypt but also the TightVNC security
> selector.)
>
use AD account. I am tunnelling the traffic over Windows openSSH to
compensate for the lack of adequate security for traffic in transit
Regards,
William
DRC
Jun 3, 2017, 6:40:45 PM6/3/17
to tigervn...@googlegroups.com
On 6/3/17 12:24 PM, William Muriithi wrote:
> Thanks, this worked perfectly. In less than 15 minutes, I was able to
> use AD account. I am tunnelling the traffic over Windows openSSH to
> compensate for the lack of adequate security for traffic in transit
You mean using the UltraVNC Server and Viewer worked perfectly?
> Thanks, this worked perfectly. In less than 15 minutes, I was able to
> use AD account. I am tunnelling the traffic over Windows openSSH to
> compensate for the lack of adequate security for traffic in transit
William Muriithi
Jun 4, 2017, 9:53:39 AM6/4/17
to tigervn...@googlegroups.com
server and clients
Regards,
William
DRC
Jun 4, 2017, 1:57:56 PM6/4/17
to tigervn...@googlegroups.com
On 6/4/17 8:53 AM, William Muriithi wrote:
>> You mean using the UltraVNC Server and Viewer worked perfectly?
>
> Yes, that is correct. Was able to use AD credentials with UltraVNC
> server and clients
OK, good to know. I'll probably look into adding support for the
>> You mean using the UltraVNC Server and Viewer worked perfectly?
>
> Yes, that is correct. Was able to use AD credentials with UltraVNC
> server and clients
UltraVNC security selector to the TurboVNC Viewer, since I do support
UltraVNC as a server. That would at least make it possible for TigerVNC
to straightforwardly borrow that code from us.
Reply all
Reply to author
Forward
0 new messages