I am trying to connect with Postgres Database using Windows authentication.
Here are the details
This is the change made in pg_ident.conf
pg_ident
# MAPNAME SYSTEM-USERNAME PG-USERNAME
SSPI domainusername pgusername same as domainusername
This from pg_hba.conf
pg_hba
# IPv4 local connections for SSPI:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all scram-sha-256
#== lines for specific users for SSPI (or anything else) BEFORE the catchall lines ==
# IPv4 local connections for SSPI:
host all domainusername 127.0.0.1/32 ident map=SSPI
# IPv6 local connections for SSPI:
host all domainusername ::1/128 ident map=SSPI
#====================================================================
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
host all all all md5
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all scram-sha-256
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
In the postgres login a "login" is created with the same name as domainusername. The user has the login role.
Connection object
NpgsqlConnection(@"Server = Servername;Port = 5432;Database = DBname; Integrated Security = True;");
When I try to run the exe the error that I get is
**'No password has been provided but the backend requires one (in SASL/SCRAM-SHA-256)'**
I am using Postgres v16
2
Answers
I got my solution using the following link -
[https://www.cafe-encounter.net/p2034/postgres-using-integrated-security-on-windows-on-localhost][1]
It seems to me that the application must be running on the same server as the Postgres DB. We have to have localhost on the connection string and also the username. My problem is solved with this approach. The open question remains - if I can connect from an application from a different server.
The use of "integrated security=true" in the connection strings suggest you want either SSPI or GSS. "Ident" would not count as integrated security.
"Ident" is rarely used at all (it archaic and not very secure as the backchannel messages are easy to spoof). And even more rarely used on Windows.
Your error message clearly says SCRAM is being used, so you must be hitting one of the scram lines in the pg_hba. I guess because your supplied username does not actually equal ‘domainusername’ so it instead falls through to one of the ‘all’ lines.
If you look in the server’s log file, you should see a message which is very clear about what line of the pg_hba was being used, and what the provided username was and what the authenticated username was.