Re: "could not accept SSPI security context"

From: G_Hosa_Phat <jgamble(at)ciaokc(dot)com>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: "could not accept SSPI security context"
Date: 2012-01-21 02:31:12
Message-ID: 1327113072912-5162113.post@n5.nabble.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


Brar Piening wrote
>
> Just a guess: You don't have something like "host all all 127.0.0.1/32
> sspi" in your pg_hba.conf do you?
>
> Regards,
>
> Brar
>
I don't have that set. Here's a sample from my pg_hba (slightly redacted to
obfuscate our internal network address scheme).

# TYPE DATABASE USER CIDR-ADDRESS METHOD
# ---------------------------------------------------------------------
# IPv4 LOCAL CONNECTIONS
# ---------------------------------------------------------------------
# Connections made from the server computer itself are only allowed if
# the user is a member of the Developers group, or a Super User.
# ---------------------------------------------------------------------
host all pgsuper 127.0.0.1/32 md5
host all +"ITDept" 127.0.0.1/32 sspi
host all all 127.0.0.1/32 reject
# ---------------------------------------------------------------------
# IPv4 INTRANET CONNECTIONS
# ---------------------------------------------------------------------
# If the IP address from which the request comes indicates that the
# user is on the Courtesy network and is physically located in one of
# our offices (Oklahoma City or Tulsa), use sspi authentication to
# validate the users credentials against Courtesy’s Active Directory.
# ---------------------------------------------------------------------
# Internal Network
# ---------------------------------------------------------------------
host all pgsuper 172.16.10.0/24 md5
host all +"Laptop" 172.16.10.50/32 ldap
ldapserver=ADSERVERNAME ldapprefix="MYDOMAIN\"
host all +"ITDept" 172.16.10.0/24 sspi
host appdb +"Users" 172.16.10.0/24 sspi
# ---------------------------------------------------------------------
# Deny connection attempts from any source not explicitly identified
# in the rules above.
# ---------------------------------------------------------------------
host all all 0.0.0.0/0 reject

# IPv6 local connections:
host all pgsuper ::1/128 md5
host all +"ITDept" ::1/128 sspi
host all all ::1/128 reject

There are some specific requirements addressed in the configuration file,
and I'd love to ask some more questions about how to implement some of them,
but those aren't in the scope of this thread. On this topic, however, this
configuratoin correctly uses the SSPI authentication when I try to connect
to the database through PGAdmin (I'm a member of the "ITDept" group), but
not when I'm testing my VB.NET application, it fails on the authentication
with the error from the thread title.

--
View this message in context: http://postgresql.1045698.n5.nabble.com/could-not-accept-SSPI-security-context-tp3275102p5162113.html
Sent from the PostgreSQL - general mailing list archive at Nabble.com.

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Peter Geoghegan 2012-01-21 03:47:19 Re: ESET NOD32 Antivirus interference with PostgreSQL
Previous Message Bruce Duncan 2012-01-21 00:45:39 ESET NOD32 Antivirus interference with PostgreSQL