Version 2021

Kerberos Authentication

PostgreSQL supports GSSAPI with Kerberos authentication according to RFC 1964. GSSAPI provides automatic authentication (single sign-on) for systems that support it. The authentication itself is secure.

When GSSAPI uses Kerberos, it uses a standard service principal name in servicename/hostname@realm format.

  • servicename: This part of the principal is ordinarily postgres, but another value can be selected via libpq's krbsrvname connection parameter.

  • hostname: The fully qualified host name that libpq is told to connect to.

  • realm: This name is the preferred realm specified in the Kerberos configuration file(s) accessible to the client.

MicroStrategy supports single sign-on (SSO) access to PostgreSQL (using Kerberos) when the MicroStrategy Intelligence server resides on a Windows operating system or UNIX/Linux operating system.

Prerequisites

  • Intelligence server is configured for integrated authentication (Kerberos)

  • PostgreSQL database is enabled for Kerberos (GSSAPI) authentication

See KB19110: How to configure MicroStrategy Intelligence Server for Integrated Authentication (Kerberos) on Unix / Linux for more information about Intelligence server configuration for integrated authentication.

See GSSAPI Authentication on the PostgreSQL site for more information about Kerberos configuration.

See KB484540: Passthrough Kerberos configuration for PostgreSQL on MicroStrategy with the Intelligence Server on Linux for more information about other configurations you need to set on MicroStrategy side, for example, the configuration of DSN, Database instance, Developer, and so on.

Special Use Case

There is a use case for Kerberos authentication against PostgreSQL that you may find useful. This scenario is described below.

  • There is a PostgreSQL technical user, for example, named postgreKrb

  • There are many end users logged into MicroStrategy Web.

  • These users can access the database through the postgreKrb technical user.

See KB484541: Multiple end users to access PostgreSQL through the same database user with Kerberos authentication for more details about this scenario.