On Mon, 29 Nov 2010 15:27:35 +0100, Reto Schöning
<reto.schoening@xxxxxxxxx> wrote:
I just heard back from our IT. There's nothing in the logs for this
connection attempt, but they noted in the Npgsql log that the
authentication was attempted using NTLM. However our domain controller
no longer supports NTLM, but only LDAP(s) and kerberos (it's a Windows
2008 server). From the docs I understand that with SSPI, pg should try
kerberos first and fall back to NTLM. This works when connecting from
psql. Maybe Npgsql goes straight for NTLM, at least when using it the
way I do?
Both are using the Negotiate SSP authentication package
http://msdn.microsoft.com/en-us/library/aa378748%28v=VS.85%29.aspx
Npgsql (SSPIHandler.cs):
int status = AcquireCredentialsHandle(
"",
"negotiate",
SECPKG_CRED_OUTBOUND,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
ref sspicred,
out expire
);
libpq (fe-auth.c):
/*
* Send initial SSPI authentication token.
* If use_negotiate is 0, use kerberos authentication package which is
* compatible with Unix. If use_negotiate is 1, use the negotiate package
* which supports both kerberos and NTLM, but is not compatible with Unix.
*/
r = AcquireCredentialsHandle(NULL,
use_negotiate ? "negotiate" : "kerberos",
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
conn->sspicred,
&expire);
It should be a one line patch to force Npgsql into using kerberos but I
can't see any reason why negotiate should act differently between Npgsql
and libpq.
Regards,
Brar
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
