Using ActiveDirectory and Kerberos to connect to a postgres database
My organization is using Windows Auth/Active Directory to provide authentication to our postgres databases. I have been unable to use Datagrip to connect to these databases. Is this something that is supported by Datagrip?
Please sign in to leave a comment.
This will depend on the database you have and might require some tweaking of your data source properties. Please let us know your current database(s) so we can suggest you.
This is running in AWS as an Aurora RDS instance of postgreSQL 16.1 configured as a cluster with one node. It has Kerberos authentication enabled using AWS Active Directory service.
Is there any further information you require?
Thanks for the update.
Please create a config file in /etc/jaas.conf:
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
debug=true
renewTGT=true
doNotPrompt=true;
};
Add the following parameter to VM options:
-Djava.security.auth.login.config=/etc/jaas.conf
I set this up, and now I'm seeing this error in the log.
2024-03-21 07:52:33,838 [167600674] INFO - #c.i.e.r.RemoteProcessSupport - get normal credential
2024-03-21 07:52:33,838 [167600674] INFO - #c.i.e.r.RemoteProcessSupport - >>> KrbCreds found the default ticket granting ticket in credential cache.
2024-03-21 07:52:33,843 [167600679] INFO - #c.i.e.r.RemoteProcessSupport - Java config name: null
2024-03-21 07:52:33,847 [167600683] INFO - #c.i.e.r.RemoteProcessSupport - Native config name: C:\WINDOWS\krb5.ini
2024-03-21 07:52:33,849 [167600685] INFO - #c.i.e.r.RemoteProcessSupport - Loaded from native config
2024-03-21 07:52:33,864 [167600700] INFO - #c.i.e.r.RemoteProcessSupport - >>> Obtained TGT from native ccache: Credentials:
2024-03-21 07:52:33,864 [167600700] INFO - #c.i.e.r.RemoteProcessSupport - client=<redacted>
2024-03-21 07:52:33,865 [167600701] INFO - #c.i.e.r.RemoteProcessSupport - server=<redacted>
2024-03-21 07:52:33,865 [167600701] INFO - #c.i.e.r.RemoteProcessSupport - authTime=20240313140929Z
2024-03-21 07:52:33,865 [167600701] INFO - #c.i.e.r.RemoteProcessSupport - startTime=20240313140929Z
2024-03-21 07:52:33,865 [167600701] INFO - #c.i.e.r.RemoteProcessSupport - endTime=20240314000929Z
2024-03-21 07:52:33,865 [167600701] INFO - #c.i.e.r.RemoteProcessSupport - renewTill=null
2024-03-21 07:52:33,865 [167600701] INFO - #c.i.e.r.RemoteProcessSupport - flags=INITIAL;PRE-AUTHENT
2024-03-21 07:52:33,866 [167600702] INFO - #c.i.e.r.RemoteProcessSupport - EType (skey)=18
2024-03-21 07:52:33,866 [167600702] INFO - #c.i.e.r.RemoteProcessSupport - (tkt key)=18
2024-03-21 07:52:33,866 [167600702] INFO - #c.i.e.r.RemoteProcessSupport - Ticket could not be renewed : This ticket is not renewable
2024-03-21 07:52:33,866 [167600702] INFO - #c.i.e.r.RemoteProcessSupport - Credentials are no longer valid
2024-03-21 07:52:33,866 [167600702] INFO - #c.i.e.r.RemoteProcessSupport - Principal is null
2024-03-21 07:52:33,867 [167600703] INFO - #c.i.e.r.RemoteProcessSupport - null credentials from Ticket Cache
2024-03-21 07:52:33,867 [167600703] INFO - #c.i.e.r.RemoteProcessSupport - [Krb5LoginModule] authentication failed
2024-03-21 07:52:33,867 [167600703] INFO - #c.i.e.r.RemoteProcessSupport - Unable to obtain Principal Name for authentication
2024-03-21 07:52:33,883 [167600719] WARN - #c.i.d.d.BaseDatabaseErrorHandler$UnknownErrorInfo - GSS Authentication failed
java.sql.SQLException: GSS Authentication failed
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:173)
at org.postgresql.core.v3.ConnectionFactoryImpl.lambda$doAuthentication$3(ConnectionFactoryImpl.java:815)
at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:814)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:203)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
at org.postgresql.Driver.makeConnection(Driver.java:443)
at org.postgresql.Driver.connect(Driver.java:297)
at com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:719)
at com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:153)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:360)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:587)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:705)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:704)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
at java.rmi/sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:304)
at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:280)
at java.rmi/sun.rmi.server.UnicastRef.invoke(UnicastRef.java:165)
at java.rmi/java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:215)
at java.rmi/java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:160)
at jdk.proxy4/jdk.proxy4.$Proxy182.connect(Unknown Source)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at com.intellij.execution.rmi.RemoteUtil.invokeRemote(RemoteUtil.java:153)
at com.intellij.execution.rmi.RemoteUtil.access$200(RemoteUtil.java:22)
at com.intellij.execution.rmi.RemoteUtil$1MyHandler.lambda$invoke$0(RemoteUtil.java:135)
at com.intellij.openapi.util.ClassLoaderUtil.computeWithClassLoader(ClassLoaderUtil.java:31)
at com.intellij.execution.rmi.RemoteUtil.executeWithClassLoader(RemoteUtil.java:205)
at com.intellij.execution.rmi.RemoteUtil$1MyHandler.invoke(RemoteUtil.java:135)
at jdk.proxy4/jdk.proxy4.$Proxy182.connect(Unknown Source)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher.connect(DatabaseConnectionEstablisher.kt:210)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher.tryConnectInner(DatabaseConnectionEstablisher.kt:126)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher.tryConnectAndReleaseCancelled(DatabaseConnectionEstablisher.kt:97)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher.access$tryConnectAndReleaseCancelled(DatabaseConnectionEstablisher.kt:57)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher$tryConnect$2$1.invokeSuspend(DatabaseConnectionEstablisher.kt:83)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:100)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:826)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:689)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:597)
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.lambda$doAuthentication$3(ConnectionFactoryImpl.java:815)
at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:814)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:203)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
at org.postgresql.Driver.makeConnection(Driver.java:443)
at org.postgresql.Driver.connect(Driver.java:297)
at com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:719)
at com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:153)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:360)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:587)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:705)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:704)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Suppressed: com.intellij.database.util.AsyncTask$Companion$FrameData: Async frame data: Test Connection -> Prepare connection -> Establish database connection -> Get database credentials -> Perform database connection
2024_03_22_2ACpWq87PQQJmyNFTND1xn
“kinit ”
Also, run “klist” command. Provide output or both command in the terminal