Using ActiveDirectory and Kerberos to connect to a postgres database

My organization is using Windows Auth/Active Directory to provide authentication to our postgres databases. I have been unable to use Datagrip to connect to these databases. Is this something that is supported by Datagrip?

0
7 comments
Hi Jeff,

This will depend on the database you have and might require some tweaking of your data source properties. Please let us know your current database(s) so we can suggest you.
0

This is running in AWS as an Aurora RDS instance of postgreSQL 16.1 configured as a cluster with one node. It has Kerberos authentication enabled using AWS Active Directory service.

Is there any further information you require?

0

Thanks for the update. 

 

Please create a config file in /etc/jaas.conf:

 

pgjdbc {

com.sun.security.auth.module.Krb5LoginModule required

useTicketCache=true

debug=true

renewTGT=true

doNotPrompt=true;

};

 

 

Add the following parameter to VM options:

 

-Djava.security.auth.login.config=/etc/jaas.conf


0

I set this up, and now I'm seeing this error in the log.

2024-03-21 07:52:33,838 [167600674]   INFO - #c.i.e.r.RemoteProcessSupport - get normal credential
2024-03-21 07:52:33,838 [167600674]   INFO - #c.i.e.r.RemoteProcessSupport - >>> KrbCreds found the default ticket granting ticket in credential cache.
2024-03-21 07:52:33,843 [167600679]   INFO - #c.i.e.r.RemoteProcessSupport - Java config name: null
2024-03-21 07:52:33,847 [167600683]   INFO - #c.i.e.r.RemoteProcessSupport - Native config name: C:\WINDOWS\krb5.ini
2024-03-21 07:52:33,849 [167600685]   INFO - #c.i.e.r.RemoteProcessSupport - Loaded from native config
2024-03-21 07:52:33,864 [167600700]   INFO - #c.i.e.r.RemoteProcessSupport - >>> Obtained TGT from native ccache: Credentials:
2024-03-21 07:52:33,864 [167600700]   INFO - #c.i.e.r.RemoteProcessSupport - client=<redacted>
2024-03-21 07:52:33,865 [167600701]   INFO - #c.i.e.r.RemoteProcessSupport - server=<redacted>
2024-03-21 07:52:33,865 [167600701]   INFO - #c.i.e.r.RemoteProcessSupport - authTime=20240313140929Z
2024-03-21 07:52:33,865 [167600701]   INFO - #c.i.e.r.RemoteProcessSupport - startTime=20240313140929Z
2024-03-21 07:52:33,865 [167600701]   INFO - #c.i.e.r.RemoteProcessSupport - endTime=20240314000929Z
2024-03-21 07:52:33,865 [167600701]   INFO - #c.i.e.r.RemoteProcessSupport - renewTill=null
2024-03-21 07:52:33,865 [167600701]   INFO - #c.i.e.r.RemoteProcessSupport - flags=INITIAL;PRE-AUTHENT
2024-03-21 07:52:33,866 [167600702]   INFO - #c.i.e.r.RemoteProcessSupport - EType (skey)=18
2024-03-21 07:52:33,866 [167600702]   INFO - #c.i.e.r.RemoteProcessSupport - (tkt key)=18
2024-03-21 07:52:33,866 [167600702]   INFO - #c.i.e.r.RemoteProcessSupport - Ticket could not be renewed : This ticket is not renewable
2024-03-21 07:52:33,866 [167600702]   INFO - #c.i.e.r.RemoteProcessSupport - Credentials are no longer valid
2024-03-21 07:52:33,866 [167600702]   INFO - #c.i.e.r.RemoteProcessSupport - Principal is null
2024-03-21 07:52:33,867 [167600703]   INFO - #c.i.e.r.RemoteProcessSupport - null credentials from Ticket Cache
2024-03-21 07:52:33,867 [167600703]   INFO - #c.i.e.r.RemoteProcessSupport - [Krb5LoginModule] authentication failed
2024-03-21 07:52:33,867 [167600703]   INFO - #c.i.e.r.RemoteProcessSupport - Unable to obtain Principal Name for authentication
2024-03-21 07:52:33,883 [167600719]   WARN - #c.i.d.d.BaseDatabaseErrorHandler$UnknownErrorInfo - GSS Authentication failed
java.sql.SQLException: GSS Authentication failed
    at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:173)
    at org.postgresql.core.v3.ConnectionFactoryImpl.lambda$doAuthentication$3(ConnectionFactoryImpl.java:815)
    at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81)
    at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:814)
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:203)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
    at org.postgresql.Driver.makeConnection(Driver.java:443)
    at org.postgresql.Driver.connect(Driver.java:297)
    at com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:719)
    at com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:153)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:360)
    at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
    at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:587)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:705)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:704)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base/java.lang.Thread.run(Thread.java:833)
    at java.rmi/sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:304)
    at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:280)
    at java.rmi/sun.rmi.server.UnicastRef.invoke(UnicastRef.java:165)
    at java.rmi/java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:215)
    at java.rmi/java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:160)
    at jdk.proxy4/jdk.proxy4.$Proxy182.connect(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at com.intellij.execution.rmi.RemoteUtil.invokeRemote(RemoteUtil.java:153)
    at com.intellij.execution.rmi.RemoteUtil.access$200(RemoteUtil.java:22)
    at com.intellij.execution.rmi.RemoteUtil$1MyHandler.lambda$invoke$0(RemoteUtil.java:135)
    at com.intellij.openapi.util.ClassLoaderUtil.computeWithClassLoader(ClassLoaderUtil.java:31)
    at com.intellij.execution.rmi.RemoteUtil.executeWithClassLoader(RemoteUtil.java:205)
    at com.intellij.execution.rmi.RemoteUtil$1MyHandler.invoke(RemoteUtil.java:135)
    at jdk.proxy4/jdk.proxy4.$Proxy182.connect(Unknown Source)
    at com.intellij.database.dataSource.DatabaseConnectionEstablisher.connect(DatabaseConnectionEstablisher.kt:210)
    at com.intellij.database.dataSource.DatabaseConnectionEstablisher.tryConnectInner(DatabaseConnectionEstablisher.kt:126)
    at com.intellij.database.dataSource.DatabaseConnectionEstablisher.tryConnectAndReleaseCancelled(DatabaseConnectionEstablisher.kt:97)
    at com.intellij.database.dataSource.DatabaseConnectionEstablisher.access$tryConnectAndReleaseCancelled(DatabaseConnectionEstablisher.kt:57)
    at com.intellij.database.dataSource.DatabaseConnectionEstablisher$tryConnect$2$1.invokeSuspend(DatabaseConnectionEstablisher.kt:83)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
    at kotlinx.coroutines.internal.LimitedDispatcher$Worker.run(LimitedDispatcher.kt:115)
    at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:100)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
    at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:826)
    at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:689)
    at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:597)
    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
    at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:147)
    at org.postgresql.core.v3.ConnectionFactoryImpl.lambda$doAuthentication$3(ConnectionFactoryImpl.java:815)
    at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81)
    at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:814)
    at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:203)
    at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
    at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
    at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
    at org.postgresql.Driver.makeConnection(Driver.java:443)
    at org.postgresql.Driver.connect(Driver.java:297)
    at com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:719)
    at com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:153)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:360)
    at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
    at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
    at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:587)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:705)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:704)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base/java.lang.Thread.run(Thread.java:833)
    Suppressed: com.intellij.database.util.AsyncTask$Companion$FrameData: Async frame data: Test Connection -> Prepare connection -> Establish database connection -> Get database credentials -> Perform database connection

0
Please upload screenshots of the General and Advanced Tab onto our FTP https://uploads.jetbrains.com/ and provide the upload id in your reply.
0

2024_03_22_2ACpWq87PQQJmyNFTND1xn

0
Please try to run using the same username specified in the data source properties.

“kinit ”  

Also, run “klist” command. Provide output or both command in the terminal
0

Please sign in to leave a comment.