Re: "could not accept SSPI security context"

On Mon, 29 Nov 2010 15:27:35 +0100, Reto Schöning
<reto(dot)schoening(at)gmail(dot)com> wrote:
> I just heard back from our IT. There's nothing in the logs for this
> connection attempt, but they noted in the Npgsql log that the
> authentication was attempted using NTLM. However our domain controller
> no longer supports NTLM, but only LDAP(s) and kerberos (it's a Windows
> 2008 server). From the docs I understand that with SSPI, pg should try
> kerberos first and fall back to NTLM. This works when connecting from
> psql. Maybe Npgsql goes straight for NTLM, at least when using it the
> way I do?

Both are using the Negotiate SSP authentication package

http://msdn.microsoft.com/en-us/library/aa378748%28v=VS.85%29.aspx

Npgsql (SSPIHandler.cs):
int status = AcquireCredentialsHandle(
"",
"negotiate",
SECPKG_CRED_OUTBOUND,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
IntPtr.Zero,
ref sspicred,
out expire
);

libpq (fe-auth.c):
/*
* Send initial SSPI authentication token.
* If use_negotiate is 0, use kerberos authentication package which is
* compatible with Unix. If use_negotiate is 1, use the negotiate package
* which supports both kerberos and NTLM, but is not compatible with Unix.
*/
r = AcquireCredentialsHandle(NULL,
use_negotiate ? "negotiate" : "kerberos",
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
conn->sspicred,
&expire);

It should be a one line patch to force Npgsql into using kerberos but I
can't see any reason why negotiate should act differently between Npgsql
and libpq.

Regards,

Brar