User profile for user: JLG89
JLG89 Author
User level: Level 1
138 points

Network user authentication for VNC sessions not working

I am trying to enable Open Directory network users to connect to an Open Directory server (master or replica) using their network credentials. This is on macOS 10.12.6 and Server 5.3.1.


  • The Open Directory master/replica configuration is working properly.
  • Each OD server has itself listed as the Network Account Server in System Preferences:Users & Groups:Login Options, and "Allow network users to log in at login window" is enabled.
  • In System Preferences:Sharing, Remote Management is enabled, and "Allow access for: All users" is selected.
  • In Server.app, under the "Access" tab, access is allowed for all users, all networks.
  • Both Local and Network users can successfully log in at the login window.
  • Local users can login remotely using VNC.
  • When a Network user attempts to login remotely using VNC, the authentication box shakes. On the server, the screensharingd log throws an authentication error.


Looking at the screensharingd and opendirectory logs, it appears that screensharingd queries Open Directory, which authenticates the user, but screensharingd ignores it.


default09:24:28.673475 -0500com.apple.AccountPolicyHelper(16462.172.3) AuthenticationAllowed completed: record "<user>", result: Success (0).
default09:24:28.690605 -0500screensharingdAuthentication: FAILED :: User Name: <user> :: Viewer Address: 192.168.0.5 :: Type: DH


Any ideas?

Posted on Sep 28, 2017 7:21 AM

Reply
Question marked as Top-ranking reply
User profile for user: JLG89
JLG89 Author
User level: Level 1
138 points

Posted on Sep 28, 2017 1:48 PM

Fixed it. This thread was very helpful:

OD user can't vnc?


After following the directions under Remote Desktop Admin: Set access privileges using directory services and rebooting the affected servers, it now works.


Because I'm using Apple Remote Desktop for remote management, I need to use Remote Administration instead of Screen Sharing (in System Preferences:Sharing). In this scenario, the only way to enable Network users to connect using VNC is to follow those specific instructions. If you don't have ARD but still want to use Remote Administration instead of Screen Sharing for some reason, you can make the change via the command line. Run this on each machine to which you want VNC access:


# sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes


One thing the instructions do not specifically state is that you can also add directory groups to the ARD groups you create in your directory (see screenshot below). For example, if all your users are already in a "Workgroup" group, and you want them all to have VNC access, just add the "Workgroup" group to the "ard_interact" group.


User uploaded file

View in context
2 replies
Question marked as Top-ranking reply
User profile for user: JLG89
JLG89 Author
User level: Level 1
138 points

Sep 28, 2017 1:48 PM in response to JLG89

Fixed it. This thread was very helpful:

OD user can't vnc?


After following the directions under Remote Desktop Admin: Set access privileges using directory services and rebooting the affected servers, it now works.


Because I'm using Apple Remote Desktop for remote management, I need to use Remote Administration instead of Screen Sharing (in System Preferences:Sharing). In this scenario, the only way to enable Network users to connect using VNC is to follow those specific instructions. If you don't have ARD but still want to use Remote Administration instead of Screen Sharing for some reason, you can make the change via the command line. Run this on each machine to which you want VNC access:


# sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes


One thing the instructions do not specifically state is that you can also add directory groups to the ARD groups you create in your directory (see screenshot below). For example, if all your users are already in a "Workgroup" group, and you want them all to have VNC access, just add the "Workgroup" group to the "ard_interact" group.


User uploaded file

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Network user authentication for VNC sessions not working

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up