# 21.7. SSPI Authentication

SSPI is a Windows technology for secure authentication with single sign-on. PostgreSQL will use SSPI innegotiatemode, which will use Kerberos when possible and automatically fall back to NTLM in other cases. SSPI authentication only works when both server and client are running Windows, or, on non-Windows platforms, when GSSAPI is available.

When using Kerberos authentication, SSPI works the same way GSSAPI does; seeSection 21.6for details.

The following configuration options are supported for SSPI:

include_realm

If set to 0, the realm name from the authenticated user principal is stripped off before being passed through the user name mapping (Section 21.2). This is discouraged and is primarily available for backwards compatibility, as it is not secure in multi-realm environments unlesskrb_realmis also used. It is recommended to leaveinclude_realmset to the default (1) and to provide an explicit mapping inpg_ident.confto convert principal names to PostgreSQL user names.

compat_realm

If set to 1, the domain's SAM-compatible name (also known as the NetBIOS name) is used for theinclude_realmoption. This is the default. If set to 0, the true realm name from the Kerberos user principal name is used.

Do not disable this option unless your server runs under a domain account (this includes virtual service accounts on a domain member system) and all clients authenticating through SSPI are also using domain accounts, or authentication will fail.

upn_username

如果此选项与兼容领域,来自 Kerberos UPN 的用户名用于身份验证。如果禁用(默认),则使用与 SAM 兼容的用户名。默认情况下,这两个名称对于新用户帐户是相同的。

请注意,如果未指定显式用户名,libpq 将使用与 SAM 兼容的名称。如果您使用 libpq 或基于它的驱动程序,您应该禁用此选项或在连接字符串中明确指定用户名。

地图

允许在系统和数据库用户名之间进行映射。看第 21.2 节详情。对于 SSPI/Kerberos 主体,例如用户名@EXAMPLE.COM(或者,不太常见的是,用户名/hostbased@EXAMPLE.COM),用于映射的用户名是用户名@EXAMPLE.COM(要么用户名/hostbased@EXAMPLE.COM, 分别), 除非包括领域已设置为 0,在这种情况下用户名(要么用户名/基于主机) 是映射时所看到的系统用户名。

krb_realm

设置域以匹配用户主体名称。如果设置了此参数,则仅接受该领域的用户。如果未设置,则任何领域的用户都可以连接,这取决于完成的用户名映射。