PostgreSQL via Kerberos on Windows
My org is running several PostgreSQL Aurora instances and are moving toward using AD/Kerberos authentication. I can get it to work via pgAdmin and ODBC, but am unable to successfully connect using DataGrip. I tried following the steps at the below URL, altering one config to look at a Windows path, but am unable to connect. Some help/guidance would be greatly appreciated.
jaas.conf
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
debug=true
renewTGT=true
doNotPrompt=true;
};
VM options
-Xmx4096m -Djava.security.auth.login.config="D:\User Content\mchamlee\conf\jaas.conf"
Log output from most recent attempt
2025-02-13 07:43:50,065 [260382247] INFO - #c.i.e.r.RemoteProcessSupport - "C:\Program Files\JetBrains\DataGrip 2024.1.2\jbr\bin\java" -Xmx4096m "-Djava.security.auth.login.config=D:\User Content\mchamlee\conf\jaas.conf" -Djava.rmi.server.hostname=127.0.0.1 -Duser.timezone=UTC -Xms256m "-Djdbc.classpath=C:\Program Files\JetBrains\DataGrip 2024.1.2\plugins\DatabaseTools\lib\jdbc-console.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\postgresql\postgresql\42.6.0\postgresql-42.6.0.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\checkerframework\checker-qual\3.31.0\checker-qual-3.31.0.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\com\github\waffle\waffle-jna\1.9.1\waffle-jna-1.9.1.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\net\java\dev\jna\jna\4.5.1\jna-4.5.1.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\net\java\dev\jna\jna-platform\4.5.1\jna-platform-4.5.1.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\slf4j\jcl-over-slf4j\1.7.25\jcl-over-slf4j-1.7.25.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\slf4j\slf4j-api\1.7.25\slf4j-api-1.7.25.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\com\github\ben-manes\caffeine\caffeine\2.6.2\caffeine-2.6.2.jar" --add-exports java.desktop/sun.awt=ALL-UNNAMED --add-exports java.desktop/java.awt.peer=ALL-UNNAMED --add-opens java.desktop/java.awt=ALL-UNNAMED --add-opens=jdk.unsupported/sun.misc=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -Dfile.encoding=UTF-8 -classpath "C:\Program Files\JetBrains\DataGrip 2024.1.2\lib\util_rt.jar;C:\Program Files\JetBrains\DataGrip 2024.1.2\lib\util-8.jar;C:\Program Files\JetBrains\DataGrip 2024.1.2\lib\groovy.jar;C:\Program Files\JetBrains\DataGrip 2024.1.2\plugins\DatabaseTools\lib\jdbc-console.jar;C:\Program Files\JetBrains\DataGrip 2024.1.2\plugins\grid-core-impl\lib\jdbc-console-types.jar;C:\Program Files\JetBrains\DataGrip 2024.1.2\lib\util.jar" com.intellij.database.remote.RemoteJdbcServer org.postgresql.Driver
2025-02-13 07:43:50,261 [260382443] INFO - #c.i.e.r.RemoteProcessSupport - Using classpath: C:\Program Files\JetBrains\DataGrip 2024.1.2\plugins\DatabaseTools\lib\jdbc-console.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\postgresql\postgresql\42.6.0\postgresql-42.6.0.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\checkerframework\checker-qual\3.31.0\checker-qual-3.31.0.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\com\github\waffle\waffle-jna\1.9.1\waffle-jna-1.9.1.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\net\java\dev\jna\jna\4.5.1\jna-4.5.1.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\net\java\dev\jna\jna-platform\4.5.1\jna-platform-4.5.1.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\slf4j\jcl-over-slf4j\1.7.25\jcl-over-slf4j-1.7.25.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\org\slf4j\slf4j-api\1.7.25\slf4j-api-1.7.25.jar;C:\Users\mchamlee\AppData\Roaming\JetBrains\DataGrip2024.1\jdbc-drivers\PostgreSQL\42.6.0\com\github\ben-manes\caffeine\caffeine\2.6.2\caffeine-2.6.2.jar
2025-02-13 07:43:50,261 [260382443] INFO - #c.i.e.r.RemoteProcessSupport - and base loader jdk.internal.loader.ClassLoaders$PlatformClassLoader@63d4e2ba
2025-02-13 07:43:50,321 [260382503] INFO - #c.i.e.r.RemoteProcessSupport - Desktop actions are jbr-api
2025-02-13 07:43:50,447 [260382629] INFO - #c.i.e.r.RemoteProcessSupport - Port/ServicesPort/ID: 48315/50493/RemoteDriverImpla65a2ae0
2025-02-13 07:43:50,486 [260382668] INFO - #c.i.d.d.DatabaseConnectionEstablisher - Connecting to: jdbc:postgresql://rnoaurdevcl01-cluster-1.cluster-cjovq5m53wq9.us-west-2.aws.cloud:5432/ods
2025-02-13 07:43:50,486 [260382668] INFO - #c.i.e.r.RemoteProcessSupport -
2025-02-13 07:43:50,486 [260382668] INFO - #c.i.d.d.DatabaseConnectionEstablisher - Auth provider: user-pass
2025-02-13 07:43:50,486 [260382668] INFO - #c.i.d.d.DatabaseCredentialsAuthProvider - Connecting as: mchamlee@EIGWC.COM
2025-02-13 07:43:50,868 [260383050] INFO - #c.i.e.r.RemoteProcessSupport - Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2025-02-13 07:43:50,868 [260383050] INFO - #c.i.e.r.RemoteProcessSupport - Acquire TGT from Cache
2025-02-13 07:43:50,898 [260383080] INFO - #c.i.e.r.RemoteProcessSupport - Principal is null
2025-02-13 07:43:50,898 [260383080] INFO - #c.i.e.r.RemoteProcessSupport - null credentials from Ticket Cache
2025-02-13 07:43:50,898 [260383080] INFO - #c.i.e.r.RemoteProcessSupport - [Krb5LoginModule] authentication failed
2025-02-13 07:43:50,898 [260383080] INFO - #c.i.e.r.RemoteProcessSupport - Unable to obtain Principal Name for authentication
2025-02-13 07:43:50,915 [260383097] WARN - #c.i.d.d.BaseDatabaseErrorHandler$UnknownErrorInfo - GSS Authentication failed
java.sql.SQLException: GSS Authentication failed
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:173)
at org.postgresql.core.v3.ConnectionFactoryImpl.lambda$doAuthentication$3(ConnectionFactoryImpl.java:815)
at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:814)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:203)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
at org.postgresql.Driver.makeConnection(Driver.java:443)
at org.postgresql.Driver.connect(Driver.java:297)
at com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:768)
at com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:153)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:360)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:587)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:705)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:704)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
at java.rmi/sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:304)
at java.rmi/sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:280)
at java.rmi/sun.rmi.server.UnicastRef.invoke(UnicastRef.java:165)
at java.rmi/java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:215)
at java.rmi/java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:160)
at jdk.proxy4/jdk.proxy4.$Proxy191.connect(Unknown Source)
at jdk.internal.reflect.GeneratedMethodAccessor492.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at com.intellij.execution.rmi.RemoteUtil.invokeRemote(RemoteUtil.java:153)
at com.intellij.execution.rmi.RemoteUtil.access$200(RemoteUtil.java:22)
at com.intellij.execution.rmi.RemoteUtil$1MyHandler.lambda$invoke$0(RemoteUtil.java:135)
at com.intellij.openapi.util.ClassLoaderUtil.computeWithClassLoader(ClassLoaderUtil.java:31)
at com.intellij.execution.rmi.RemoteUtil.executeWithClassLoader(RemoteUtil.java:205)
at com.intellij.execution.rmi.RemoteUtil$1MyHandler.invoke(RemoteUtil.java:135)
at jdk.proxy4/jdk.proxy4.$Proxy191.connect(Unknown Source)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher.connect(DatabaseConnectionEstablisher.kt:169)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher.access$connect(DatabaseConnectionEstablisher.kt:49)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher$tryConnectInner$2$1.invoke(DatabaseConnectionEstablisher.kt:72)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher$tryConnectInner$2$1.invoke(DatabaseConnectionEstablisher.kt:72)
at com.intellij.openapi.progress.CoroutinesKt.blockingContextInner(coroutines.kt:320)
at com.intellij.openapi.progress.CoroutinesKt.access$blockingContextInner(coroutines.kt:1)
at com.intellij.openapi.progress.CoroutinesKt$blockingContext$2.invokeSuspend(coroutines.kt:197)
at com.intellij.openapi.progress.CoroutinesKt$blockingContext$2.invoke(coroutines.kt)
at com.intellij.openapi.progress.CoroutinesKt$blockingContext$2.invoke(coroutines.kt)
at kotlinx.coroutines.intrinsics.UndispatchedKt.startUndispatchedOrReturn(Undispatched.kt:78)
at kotlinx.coroutines.CoroutineScopeKt.coroutineScope(CoroutineScope.kt:264)
at com.intellij.openapi.progress.CoroutinesKt.blockingContext(coroutines.kt:196)
at com.intellij.database.dataSource.DatabaseConnectionEstablisher$tryConnectInner$2.invokeSuspend(DatabaseConnectionEstablisher.kt:72)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:108)
at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:793)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:697)
at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:684)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:826)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:689)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:597)
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:679)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:677)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:677)
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:147)
at org.postgresql.core.v3.ConnectionFactoryImpl.lambda$doAuthentication$3(ConnectionFactoryImpl.java:815)
at org.postgresql.core.v3.AuthenticationPluginManager.withPassword(AuthenticationPluginManager.java:81)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:814)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:203)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:258)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:54)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:263)
at org.postgresql.Driver.makeConnection(Driver.java:443)
at org.postgresql.Driver.connect(Driver.java:297)
at com.intellij.database.remote.jdbc.helpers.JdbcHelperImpl.connect(JdbcHelperImpl.java:768)
at com.intellij.database.remote.jdbc.impl.RemoteDriverImpl.connect(RemoteDriverImpl.java:153)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:360)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:587)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:828)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:705)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:399)
at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:704)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
Suppressed: com.intellij.database.util.AsyncTask$Companion$FrameData: Async frame data: Test connection
2025-02-13 07:43:52,398 [260384580] INFO - #c.i.e.r.RemoteProcessSupport - Terminating: 127.0.0.1:48315/RemoteDriverImpla65a2ae0
2025-02-13 07:43:52,444 [260384626] INFO - #c.i.e.r.RemoteProcessSupport - Process finished with exit code -1请先登录再写评论。
I was able to get this resolved today with help from another team member.
For those that run into the same challenge, I had some differences from the linked/referenced post above.
ktutilin WSL2 to accomplish this. Example steps I followed here: authentication - Creating a keytab to use with kinit in Windows - Stack OverflowA
jaas.conffile that included directives for the.keytabfile and the principal.NOTE: The
/is important for thekeyTabpath in this file, it does not work with Windows\path separator.krb5.conffile appropriate to my environment. This is very environment/org specific, so reach out to an experienced dev team or admin person in your org for details./or\.-Djava.security.auth.login.config=C:/path/to/jaas.conf-Djava.security.krb5.conf=C:/path/to/krb5.confjaas.confprincipal). The Password field does not appear necessary, you can leave it blank.