----- Am 23. Nov 2018 um 22:44 schrieb Stephen Frost sfrost@xxxxxxxxxxx: > No, Kerberos/GSSAPI *never* transmits the user's password to the server. > The user's password is actually used as an encryption key and is known > only to the KDC (your domain controllers) and the user. The KDC and the > PG server then share a different encryption key (the service principal). > When the user wants to connect to PG they ask the KDC for a ticket which > the KDC returns to the user as a blob which contains some information > for the PG server encrypted with the PG server's key and then encrypts > that and sends it to the user, who then decrypts it and uses it to > connect to the PG server. > > How all of that works is a bit complicated but thankfully you don't > really need to worry about that- Windows and Active Directory handle > almost all of it. All you need to do is create a service principal in > active directory for the PG server and then export it and copy it over > to the PG server and then enable gssapi in PG. > > Thanks! > > Stephen Hi Stephen, thanks again for your answer. Does my client application (geneious, a bioinfromatic tool) have to support Kerberos in any way ? Bernd Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDirig.in Petra Steiner-Hoffmann Stellv.Aufsichtsratsvorsitzender: MinDirig. Dr. Manfred Wolter Geschaeftsfuehrer: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Dr. rer. nat. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671
