Re: "could not accept SSPI security context"

On Mon, 29 Nov 2010 15:27:35 +0100, Reto Schöning
<reto.schoening@gmail.com> wrote:
> I just heard back from our IT. There's nothing in the logs for this
> connection attempt, but they noted in the Npgsql log that the
> authentication was attempted using NTLM. However our domain controller
> no longer supports NTLM, but only LDAP(s) and kerberos (it's a Windows
> 2008 server). From the docs I understand that with SSPI, pg should try
> kerberos first and fall back to NTLM. This works when connecting from
> psql. Maybe Npgsql goes straight for NTLM, at least when using it the
> way I do?

Both are using the Negotiate SSP authentication package

http://msdn.microsoft.com/en-us/library/aa378748%28v=VS.85%29.aspx

Npgsql (SSPIHandler.cs):
int status = AcquireCredentialsHandle(
     "",
     "negotiate",
     SECPKG_CRED_OUTBOUND,
     IntPtr.Zero,
     IntPtr.Zero,
     IntPtr.Zero,
     IntPtr.Zero,
     ref sspicred,
     out expire
);

libpq (fe-auth.c):
/*
  * Send initial SSPI authentication token.
  * If use_negotiate is 0, use kerberos authentication package which is
  * compatible with Unix. If use_negotiate is 1, use the negotiate package
  * which supports both kerberos and NTLM, but is not compatible with Unix.
  */
r = AcquireCredentialsHandle(NULL,
     use_negotiate ? "negotiate" : "kerberos",
     SECPKG_CRED_OUTBOUND,
     NULL,
     NULL,
     NULL,
     NULL,
     conn->sspicred,
&expire);

It should be a one line patch to force Npgsql into using kerberos but I
can't see any reason why negotiate should act differently between Npgsql
and libpq.

Regards,

Brar