Hi, here is the command how the keytab has been regenerated. Unfortunatelly it did not helped.
ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser pgadmin-...@aws-ad-ee1.example.com<mailto:pgadmin-...@aws-ad-ee1.example.com> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1>. EXAMPLE.COM Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com to pgadmin-dev. Password successfully set! Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com and domain AWS-AD-EE1.EXAMPLE.COM.SK (encryption type 18)... Hashing password with salt "AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com". Key created. Output keytab to pgadmin-dev-ad-ee1.keytab: Keytab version: 0x502 keysize 117 HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com> ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384) C:\Users\Admin> Do you have any another advice how to find out where is the problem? Thank you milanm From: Khushboo Vashi <khushboo.va...@enterprisedb.com> Sent: Monday, January 9, 2023 7:11 AM To: Milan MOLNÁR <milan_mol...@tatrabanka.sk> Cc: pgadmin-supp...@postgresql.org Subject: Re: pgadmin kerberos auth propblem - Delegated credentials not supplied. Hi, On Sat, Jan 7, 2023 at 3:53 PM Milan MOLNÁR <milan_mol...@tatrabanka.sk<mailto:milan_mol...@tatrabanka.sk>> wrote: Hello Khushboo, thnak you for your time and advice. We had to change the concept based on your recommendation, because as I wrote, we used external kdc on linux to provide krb ticket for the service and therefore there was not any user on AD. We created service user account on the AD (password never expire, AES 128/256 encryption), set service SPN to that user, generate keytab via ktpass command. When we use pgadmin to use this keytab and ask directly AD for kerberos ticket we ended with the error message Have you used any encryption type while creating Keytab ? As it should match with the AD user account. If possible please provide the command you have used to create the keytab file. Make sure to generate the new keytab, whenever you do changes in AD user. Thanks, Khushboo ________________________________________________________________________ Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho adresáta. Dokument môže obsahovať informácie chránené bankovým alebo obchodným tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych predpisov. V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás, aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu. Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade bez zbytočného odkladu informovali a následne dokument zlikvidovali. The information contained in this document is intended exclusively for the needs of its addressee. The document may contain information protected by banking or trade secrets or information subject to protection under other legal regulations. In the event that this document was delivered to you by mistake, we urge you to refrain from declassifying it or using it for your own purposes. At the same time, we would like to request that you inform us of such a case without undue delay and then dispose of the document. Tatra banka, a.s. Hodžovo námestie 3, 811 06 Bratislava 1 IČO: 00 686 930 Zapísaná v obchodnom registri Okresného sudu Bratislava I Oddiel: Sa, vložka číslo: 71/B https://www.tatrabanka.sk
