SSPI is a Windows technology for secure authentication
with single sign-on. PostgreSQL
will use SSPI in
which will use Kerberos when
possible and automatically fall back to NTLM in other cases. SSPI authentication only works when both
server and client are running Windows, or, on non-Windows platforms, when
GSSAPI is available.
When using Kerberos authentication, SSPI works the same way GSSAPI does; see Section 20.6 for details.
The following configuration options are supported for SSPI:
If set to 0, the realm name from the authenticated user
principal is stripped off before being passed through the
user name mapping (Section 20.2). This is
discouraged and is primarily available for backwards
compatibility, as it is not secure in multi-realm
is also used. It is recommended to leave
include_realm set to the default (1) and
to provide an explicit mapping in
pg_ident.conf to convert principal names
to PostgreSQL user
If set to 1, the domain's SAM-compatible name (also
known as the NetBIOS name) is used for the
include_realm option. This is the default.
If set to 0, the true realm name from the Kerberos user
principal name is used.
Do not disable this option unless your server runs under a domain account (this includes virtual service accounts on a domain member system) and all clients authenticating through SSPI are also using domain accounts, or authentication will fail.
If this option is enabled along with
compat_realm, the user name from the
Kerberos UPN is used for authentication. If it is disabled
(the default), the SAM-compatible user name is used. By
default, these two names are identical for new user
Note that libpq uses the SAM-compatible name if no explicit user name is specified. If you use libpq or a driver based on it, you should leave this option disabled or explicitly specify user name in the connection string.
Allows for mapping between system and database user
names. See Section 20.2 for
details. For a SSPI/Kerberos principal, such as
username@EXAMPLE.COM (or, less
username/hostbased@EXAMPLE.COM), the user
name used for mapping is
include_realm has been set to 0, in which
username/hostbased) is what is seen as the
system user name when mapping.
Sets the realm to match user principal names against. If this parameter is set, only users of that realm will be accepted. If it is not set, users of any realm can connect, subject to whatever user name mapping is done.
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.