Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.

Hi,

This error occurs when the token is not being decoded. Please confirm the
token you receive from the AD server is Kerberos only and not NTLM token.
You can check this via Right click on the browser > Select Inspect >
Network Tab > Click on the pgadmin site URL > Check the Response.

Kerberos Ticket example:
Authorization: Negotiate *YII*VDAYGKwYBE...

NTLM Ticket example:
Authorization: Negotiate *TlR*MTVNTUA...

Check the first 3 characters, if it starts with *YII* then it's Kerberos
ticket, otherwise NTLM.
If the ticket is Kerberos only, then I need to check all the configurations
to identify the issue. We can connect via skype or any other platform and
resolve it.

Thanks,
Khushboo

On Mon, Jan 9, 2023 at 5:38 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
wrote:

> Hi,
>
>
>
> *now we have this keytab*
>
>
>
> klist -kt pgadmin.keytab -e
>
> Keytab name: FILE:pgadmin.keytab
>
> KVNO Timestamp Principal
>
> ---- -------------------
> ------------------------------------------------------
>
> 5 01/01/1970 01:00:00
> HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM
> (des-cbc-crc)
>
> 5 01/01/1970 01:00:00
> HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM
> (des-cbc-md5)
>
> 5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)
> EXAMPLE.COM
> <HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)%20EXAMPLE(dot)COM%20>
> (arcfour-hmac)
>
> 5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)
> EXAMPLE.COM
> <HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)%20EXAMPLE(dot)COM%20>
> (aes256-cts-hmac-sha1-96)
>
> 5 01/01/1970 01:00:00 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)
> EXAMPLE.COM
> <HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)%20EXAMPLE(dot)COM%20>
> (aes128-cts-hmac-sha1-96)
>
>
>
> *To krb5.conf I’ve added*
>
> permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1
> arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac
>
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1
> arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac
>
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1
> arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac
>
>
>
> *but the error is the same*
>
>
>
> 2023-01-09 12:00:30,045: DEBUG pgadmin: Authentication initiated via
> source: kerberos
>
> 2023-01-09 12:00:30,073: *ERROR* pgadmin: Major (65536): An unsupported
> mechanism was requested, Minor (0): Unknown *error*
>
> Traceback (most recent call last):
>
> File "/pgadmin4/pgadmin/authenticate/kerberos.py", line 237, in
> negotiate_start
>
> out_token = context.step(base64.b64decode(in_token))
>
> File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
>
> return caller(func, *(extras + args), **kw)
>
> File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 165, in
> check_last_err
>
> return func(self, *args, **kwargs)
>
> File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun
>
> return caller(func, *(extras + args), **kw)
>
> File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 131, in
> catch_and_return_token
>
> return func(self, *args, **kwargs)
>
> File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line
> 582, in step
>
> return self._acceptor_step(token=token or b"")
>
> File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line
> 590, in _acceptor_step
>
> res = rsec_contexts.accept_sec_context(token, self._creds,
>
> File "gssapi/raw/sec_contexts.pyx", line 270, in
> gssapi.raw.sec_contexts.accept_sec_context
>
> gssapi.raw.*exceptions*.BadMechanism*Error*: Major (65536): An
> unsupported mechanism was requested, Minor (0): Unknown *error*
>
>
>
> milanm
>
> *From:* Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com>
> *Sent:* Monday, January 9, 2023 11:03 AM
> *To:* Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
> *Cc:* pgadmin-support(at)postgresql(dot)org
> *Subject:* Re: pgadmin kerberos auth propblem - Delegated credentials not
> supplied.
>
>
>
> *[EXTERNÝ E-MAIL]* Tento e-mail prichádza z prostredia mimo Tatra banka
> Group.
>
>
>
>
>
>
>
> On Mon, Jan 9, 2023 at 3:15 PM Milan MOLNÁR <milan_molnar(at)tatrabanka(dot)sk>
> wrote:
>
> Hi,
>
>
>
> here is the command how the keytab has been regenerated. Unfortunatelly
> it did not helped.
>
>
>
> ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser
> pgadmin-dev(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM +rndPass -mapOp set +DumpSalt -crypto
> AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ
> HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(dot)sk(at)AWS-AD-EE1(dot) EXAMPLE.COM
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WPFzRz6YqfWiY5EYL%2FzU0J22Xun9krPXrmgJ8xoeSFo%3D&reserved=0>
>
> Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fip-c6130167.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n%2BafWlMs1dMFT4m0NNwwBtXZ%2B82cR0z%2BSXVp03SYOlU%3D&reserved=0>
>
> Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ssIKqhI3MzC98R0lxiykapMpivWSzVuFGmp6QRoQQE%3D&reserved=0>
> to pgadmin-dev.
>
> Password successfully set!
>
> Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ssIKqhI3MzC98R0lxiykapMpivWSzVuFGmp6QRoQQE%3D&reserved=0>
> and domain AWS-AD-EE1.EXAMPLE.COM.SK
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Faws-ad-ee1.example.com.sk%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2DUHIIwjoDSppGpWDSnB6Lhtae9twB8XFOsr%2Bo3fNeU%3D&reserved=0>
> (encryption type 18)...
>
> Hashing password with salt "
> AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Faws-ad-ee1.example.comhttppgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HQiRAs77Gobe35SF02s0xyNb7fPmJPPnJUpzwYCPzsA%3D&reserved=0>
> ".
>
> Key created.
>
> Output keytab to pgadmin-dev-ad-ee1.keytab:
>
> Keytab version: 0x502
>
> keysize 117 HTTP/pgadmin-dev(dot)aws-ad-ee1(dot)example(dot)com(at)AWS-AD-EE1(dot)EXAMPLE(dot)COM
> ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32
> (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384)
>
>
>
> C:\Users\Admin>
>
>
>
> Do you have any another advice how to find out where is the problem?
>
> This is something to do with the keytab file. Can you try applying all the
> encryptions (-crypto all) while creating the keytab file, just for
> testing ?
>
>
>
> Thank you
>
> milanm
>
>
>
>
>
> ________________________________________________________________________
> Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho
> adresáta.
> Dokument môže obsahovať informácie chránené bankovým alebo obchodným
> tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych
> predpisov.
> V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
> aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
> Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
> bez zbytočného odkladu informovali a následne dokument zlikvidovali.
>
> The information contained in this document is intended exclusively for the
> needs of its addressee. The document may contain information protected
> by banking or trade secrets or information subject to protection under
> other
> legal regulations. In the event that this document was delivered to you by
> mistake,
> we urge you to refrain from declassifying it or using it for your own
> purposes.
> At the same time, we would like to request that you inform us of such a
> case
> without undue delay and then dispose of the document.
>
> Tatra banka, a.s.
> Hodžovo námestie 3, 811 06 Bratislava 1
> IČO: 00 686 930
> Zapísaná v obchodnom registri Okresného sudu Bratislava I
> Oddiel: Sa, vložka číslo: 71/B
> *https://www.tatrabanka.sk*
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tatrabanka.sk%2F&data=05%7C01%7Crastislav_purdek%40tatrabanka.sk%7C00381060a1bf42e1875808daaab3630f%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638009984675941476%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wkGykBMUSLFM8xVDc50OL3XXDoB%2F31%2FS6tAGW47xgMQ%3D&reserved=0>
>