How to set the SPN for Postgres SSPI
I am trying to setup Postgres to support SSPI/Kerberos, however I think that I have not found out what the correct SPN that is needed to get it working.
The background details:
- Service account for postgres: 'postgres'
- Domain Name: 'testdomain.com'
- Domain Controller: 'dc.testdomain.com'
I have tried the following SPNs and have had zero luck:
setspn -A HOST/testdomain.com postgres
setspn -A HOST/testdomain postgres
setspn -A POSTGRES/testdomain.com postgres
setspn -A POSTGRES/testdomain postgres
setspn -A POSTGRES/dc.testdomain.com postgres
Does anyone have some suggestions?
Solution 1:
SPNs don't use the name of the domain and/or of a Domain Controller, they use the FQDN which will be used to connect to the service. The SPN for a web server which answers to www.domain.com
would be HTTP/www.domain.com
.
Next, you need to assign the SPN to the user account which is running the service; if the service runs as LocalSystem
or NetworkService
on a domain computer, that would be the computer's machine account; otherwise it's the actual user account the service is running as.
What is missing in your question is the name of the server on which Postgres is running; assuming it is servername.testdomain.com
, the command for setting the SPN would be:
setspn -S POSTGRES/servername.testdomain.com postgres
Or (using the domain NetBIOS name and assuming it's TESTDOMAIN
)
setspn -S POSTGRES/servername.testdomain.com TESTDOMAIN\postgres
Sources:
https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)