As far as I can tell, Npgsql is not correctly negotiating GSSAPI authentication from a windows client to a linux (AWS Aurora) hosted cluster. I've tried various permutations of the Npgsql connection string from LinqPad, and I'm not able to successfully connect.
Sample code:
This is running as a .NET 8 Core executable through Linqpad with 10.0.2 referenced.
var connectionString = new NpgsqlConnectionStringBuilder
{
Database = "my_database_name",
Host = "my_aurora_cluster_domain_enabled_endpoint",
Username = "my_ad_credential@domain.com",
SslMode = SslMode.Require
}.ConnectionString;
using(var npgsqlConnection = new NpgsqlConnection(connectionString))
npgsqlConnection.Open();
The exception text I receive:
XX000: Invalid GSS token from client. Expected: KRB_AP_REQ. Found: 0xA082
The stack trace:
at Npgsql.Internal.NpgsqlConnector.ReadMessageLong(Boolean async, DataRowLoadingMode dataRowLoadingMode, Boolean readingNotifications, Boolean isReadingPrependedMessage) at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token) at Npgsql.Internal.NpgsqlConnector.AuthenticateGSS(Boolean async, CancellationToken cancellationToken) at Npgsql.Internal.NpgsqlConnector.Authenticate(String username, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) at Npgsql.Internal.NpgsqlConnector.<Open>g__OpenCore\|209_0(NpgsqlConnector conn, String username, SslMode sslMode, GssEncryptionMode gssEncMode, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) at Npgsql.Internal.NpgsqlConnector.<Open>g__OpenCore\|209_0(NpgsqlConnector conn, String username, SslMode sslMode, GssEncryptionMode gssEncMode, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) at Npgsql.Internal.NpgsqlConnector.Open(NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) at Npgsql.PoolingDataSource.OpenNewConnector(NpgsqlConnection conn, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) at Npgsql.PoolingDataSource.<Get>g__RentAsync\|33_0(NpgsqlConnection conn, NpgsqlTimeout timeout, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlConnection.<Open>g__OpenAsync\|42_0(Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlConnection.Open() at UserQuery.Main(), line 18
Now, the strange thing is, I've tried with other programming languages and tools and they all seem to connect correctly to this aurora instance without issue. What I've tried:
.\psql.exe -h my_aurora_cluster_domain_enabled_endpoint -U my_ad_credential@domain.com -d my_database_name - this works- Created a simple python script to validate connectivity
connection = psycopg2.connect(
host=host,
port=port,
database=database,
user="my_ad_credential@domain.com",
sslmode='require'
)
- Connecting with pgAdmin4 works just fine
This leads me to believe that the networking and server side configuration of the Aurora instance is working correctly, but that Npgsql here on my .NET client is not negotiating the authentication correctly.
What am I missing on using Npgsql to connect via AD? It's entirely possible I've just managed to completely whiff on the documentation on how to connect here, but I'm starting to go through more esoteric options on debugging here with no additional insights.
As far as I can tell, Npgsql is not correctly negotiating GSSAPI authentication from a windows client to a linux (AWS Aurora) hosted cluster. I've tried various permutations of the Npgsql connection string from LinqPad, and I'm not able to successfully connect.
Sample code:
This is running as a .NET 8 Core executable through Linqpad with 10.0.2 referenced.
The exception text I receive:
The stack trace:
Now, the strange thing is, I've tried with other programming languages and tools and they all seem to connect correctly to this aurora instance without issue. What I've tried:
.\psql.exe -h my_aurora_cluster_domain_enabled_endpoint -U my_ad_credential@domain.com -d my_database_name- this worksThis leads me to believe that the networking and server side configuration of the Aurora instance is working correctly, but that Npgsql here on my .NET client is not negotiating the authentication correctly.
What am I missing on using Npgsql to connect via AD? It's entirely possible I've just managed to completely whiff on the documentation on how to connect here, but I'm starting to go through more esoteric options on debugging here with no additional insights.