On Fri, Aug 28, 2020 at 11:03 AM Dave Page <dp...@pgadmin.org> wrote:
> Hi > > On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J <dhas...@verisk.com> > wrote: > >> Hello! >> >> I wonder if you folks can help me. I am having the hardest time location >> documentation on, or otherwise figuring out how to connect to a >> Kerberos-authenticated database using pgAdmin in Amazon RDS. >> >> I can connect to the database just fine with psql + kinit on linux, but >> the rest of my team is on Windows and pgAdmin. >> >> How, in general, do you connect to a Kerberos-authenticated database from >> pgAdmin on Windows? I haven't been able to find the answer to this question. >> >> In particular, I am connecting to a 12.3 pgsql database hosted on amazon >> RDS. No matter what I try, whenever I try to auth via Kerberos, I get this >> error: >> >> SSPI continuation error: The specified target is unknown or unreachable >> (80090303) >> >> If I connect using a local pg user, the connection succeeds. >> If I connect using kinit + psql on linux, the connection succeeds. >> If I connect using the correct host endpoint, I get the error above. >> If I connect using the AWS alternative method described here[1] of >> connecting to <endpoint>.<aws-ad-domain>, I *still* get the error above. >> >> Is there anyone who can help? >> >> 1: >> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html > > > pgAdmin doesn't (yet) officially support kerberos authentication. You can > use SSPI if you're connecting from Windows to a Windows-hosted PostgreSQL > server in a domain or on a the same machine (I actually verified that works > yesterday), or you can in theory use GSSAPI to authenticate to a Linux > hosted server if you're on a Linux client (I'm working on verifying that at > the moment). > > Once I've got those scenarios working and verified, I'll move on to > figuring out how to handle Windows/Mac clients connecting with GSSAPI. > > Note that SSPI/GSSAPI will require that you're running pgAdmin in Desktop > mode. It will not work in Server mode (because the server will typically be > running under a different user account). There's a feature request for that > in the backlog. > FYI, I've also confirmed that Linux - Linux works with GSSAPI. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EDB: http://www.enterprisedb.com
