How to set the SPN for Postgres SSPI

I am trying to setup Postgres to support SSPI/Kerberos, however I think that I have not found out what the correct SPN that is needed to get it working.

The background details:

  • Service account for postgres: 'postgres'
  • Domain Name: 'testdomain.com'
  • Domain Controller: 'dc.testdomain.com'

I have tried the following SPNs and have had zero luck:

  • setspn -A HOST/testdomain.com postgres
  • setspn -A HOST/testdomain postgres
  • setspn -A POSTGRES/testdomain.com postgres
  • setspn -A POSTGRES/testdomain postgres
  • setspn -A POSTGRES/dc.testdomain.com postgres

Does anyone have some suggestions?


Solution 1:

SPNs don't use the name of the domain and/or of a Domain Controller, they use the FQDN which will be used to connect to the service. The SPN for a web server which answers to www.domain.com would be HTTP/www.domain.com.

Next, you need to assign the SPN to the user account which is running the service; if the service runs as LocalSystem or NetworkService on a domain computer, that would be the computer's machine account; otherwise it's the actual user account the service is running as.

What is missing in your question is the name of the server on which Postgres is running; assuming it is servername.testdomain.com, the command for setting the SPN would be:

setspn -S POSTGRES/servername.testdomain.com postgres

Or (using the domain NetBIOS name and assuming it's TESTDOMAIN)

setspn -S POSTGRES/servername.testdomain.com TESTDOMAIN\postgres

Sources:

https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)