Greetings, We prefer that you don't top-post on the PG mailing lists, thanks. * Gabriel Guillem Barceló Soteras (gbarcelo@xxxxxxxxxxxxxx) wrote: > Still, in Windows environments, PostgreSQL uses a separated keytab in filesystem. > This is *nix-fashioned way to give an identity to the process. > > Windows native way would be service with MSA/gMSA identoty configured (or computter account i.e. NETWORK SERVICE) , but I think that is not possible... There's a detailed explanation of how to do this here: https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication > pg_hba.conf > hostgssenc all pg_user@dom.internal<mailto:pg_user@dom.internal> 10.20.200.0/16 gss include_realm=1 krb_realm=DOM.INTERNAL > Then, on postgres.conf (*NIX or Windows) This might be what is tripping you up- we don't yet support GSSAPI/Kerberos encrypted connections when using SSPI (which is what you're using on Windows). I hope to propose a patch to implement that but it's not yet in PG. Try instead: host all all 10.20.200.0/16 gss include_realm=1 krb_realm=DOM.INTERNAL > Note that I have not touched pg_ident.conf, and created a login instead... Yes, you'll need to create the user in PostgreSQL. Thanks, Stephen
Attachment:
signature.asc
Description: PGP signature
