The root of the question after delving little bit more, we did not find any properties to enable "Mutual Authentication" when using GSSAPI with Windows ODBC driver. Can this be added to the code?
Thanks
Ramesh..
I have pg-odbc working with Windows sspi authentication. There is a guide online [1] that describes the key element: you need to run the postgres service as a domain user that you've registered as a security principal for that machine. If you need a service name other than POSTGRES there is a GUC setting for krbsrvname; set that and a corresponding SPN.
The only weird behaviour I've noticed is that looking at security events in Windows event manager, after some time the client kerberos authentication reverts to NTLMv1. I suspect that might be a problem between the pg domain user and AD though.
Also, connections never seem to pool but there's probably a good security reason for that.
Has any one have working solution that has kerberos authentication working on windows based pg-odbc driver? We believe the below flag is required for it to work correctly, can anybody weigh in options we have in terms of setting this flag with out code modification. We are also looking to build locally to verify the solution.
Thanks
Ramesh..
----- Original Message ----- > We need mutual authentication via ODBC, looking into the psqlODBC driver to > find where the Kerberos connection was getting created. Here in sspisvcs.c > the PerformKerberosEtcClientHandshake contains the set of SSPI flags being > set on the request (held in the dwSSPIFlags variable). > This set is missing the flag required for mutual authentication > (ISC_REQ_MUTUAL_AUTH). Can this be added to your ODBC driver? > > -- > Regards, > Debbie Steigner > Red Hat Global Support Services > Principal Technical Support Engineer > > > > -- > Sent via pgsql-odbc mailing list (pgsql-odbc@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-odbc >
