diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index 401760f..0c278aa 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -104,10 +104,19 @@
           ${pkgs.coreutils}/bin/printf '{"vnc_port":%d,"auth":"none"}\n' \
             "$VNC_PORT" > /etc/hyperhive/gui.json || true
 
-          # --disable-transport-layer-security: VNC is loopback-only
-          # (relayed by the harness WebSocket proxy); TLS would require
-          # cert generation and adds no real security benefit here.
+          # Write a weston.ini that disables VNC authentication.
+          # Without this, neatvnc offers VNC password auth (type 2) by default
+          # which causes the in-browser RFB client to fail with "auth failed".
+          # auth-method=none makes neatvnc offer security type 1 (None).
+          # --disable-transport-layer-security additionally disables the
+          # VeNCrypt TLS wrapper — VNC is loopback-only via the harness
+          # WebSocket relay so neither TLS nor a password is needed.
+          WESTON_INI=$(${pkgs.coreutils}/bin/mktemp /tmp/weston-XXXXXX.ini)
+          ${pkgs.coreutils}/bin/printf '[core]\nbackend=vnc\n\n[vnc]\nauth-method=none\n' \
+            > "$WESTON_INI"
+
           exec ${pkgs.weston}/bin/weston \
+            --config="$WESTON_INI" \
             --backend=vnc-backend.so \
             --renderer=pixman \
             --port="$VNC_PORT" \