Kerberos Support in pgAdmin 4

March 01, 2021

The pgAdmin team has been receiving requests from users to support Kerberos Authentication for quite some time and as a result, we have decided to implement it.

The work has been divided into 2 phases. The first phase adds pluggable Kerberos authentication in the pgAdmin Server (multi user) mode using GSSAPI and SPNEGO, similar to the existing LDAP support. The web browser and the pgAdmin web server negotiate Kerberos as a security mechanism through SPNEGO and exchange tickets as SPNEGO tokens over HTTPS and which will bypass the pgAdmin login page entirely if the Kerberos authentication succeeds.

The first phase has been released in pgAdmin 4 v4.30 and the work is in progress for the second phase which will connect to PostgreSQL servers using Kerberos Delegated Credentials.

The configuration for Kerberos in pgAdmin is not tough and I have put together this guide to help you to configure pgAdmin with Kerberos in your environment.

The following instructions assume that the Kerberos Server is already set up and the ticket generation for the pgAdmin login user is done. pgAdmin uses the ticket from the client machine’s credential cache. The pgAdmin installers have taken care of installing the appropriate libraries for Kerberos but you need to create a krb5.conf file with the appropriate settings as per your environment.

Configure pgAdmin to Support Kerberos

The first step is to configure pgAdmin to support Kerberos authentication in Server (multi user) mode.

To enable it in pgAdmin, set the parameters below in or (see the documentation) on the system where pgAdmin server is installed.


To enable Kerberos support, you need to add the 'kerberos' in the list.


Set it to True if you want to automatically create a pgAdmin user corresponding to the Kerberos user once authentication succeeds.


Specify the pgAdmin server host name. It is an optional parameter; if it’s not set then it will take the same value as DEFAULT_SERVER pgAdmin parameter.


Keytab file location for HTTP Service, an optional parameter.

Below is the sample code snippet from


    # Kerberos Configurations





    KRB_KTNAME = '/etc/pgadmin4/pgadmin.keytab'


Throughout the document let’s assume your pgAdmin server hostname is and your Kerberos realm is DOMAIN.ORG

Keytab File for HTTP Service Principal

The second step is to generate the keytab file for the HTTP service principal for the pgAdmin web server. After creating HTTP principal HTTP/<host-name>@realm, generate the keytab file.

        ktadd -k pgadmin.keytab HTTP/

This command should create the keytab file named pgadmin.keytab, copy this file to the machine where pgAdmin web server is running. Ensure that the operating system user owning the pgAdmin web server is the owner of this file and the file is accessible to that user. For example, if your pgAdmin is running under apache on Ubuntu with www-data user, the owner of the keytab file should be www-data.

The next thing is to set the location of the keytab file, so the pgAdmin server can use that while the authentication process.

You can choose any of the following ways to set the Keytab file location:

  1. Set the default_keytab_name parameter in krb5.conf file
  2. Set the environment variable KRB5_KTNAME
  3. Explicitly set KRB_KTNAME in the pgAdmin or

Note that if more than one option is set then the key tab will be used in the descending order of priority.

Configure the Browser to support SPNEGO

The next step is to configure the browser to support SPNEGO, which is responsible for forwarding the Kerberos ticket to the pgAdmin web server over HTTPS.

Below are the steps to configure Mozilla Firefox:

  • Open the low level Firefox configuration page by loading the about:config page.
  • In the Search text box, enter: network.negotiate-auth.trusted-uris
  • Double-click the network.negotiate-auth.trusted-uris preference and enter the hostname or the domain of the pgAdmin web server
  • Click OK.

Check the documentation for the equivalent process for your browser if you're not using Firefox.

Configure Apache

If the pgAdmin server is running under the Apache Server, then you need to add the following parameters in Directory directive of Apache HTTPD Configuration:

  • WSGIScriptReloading On
  • WSGIPassAuthorization On

For example:



             WSGIScriptReloading On

             WSGIPassAuthorization On





Having configured pgAdmin as described, you should now be able to login to a remote pgAdmin server without having to supply a username and password; your authentication information will be provided by the browser automatically.

Look out for the second phase of this project in a future release which will allow authentication to the PostgreSQL servers you manage with pgAdmin to be handled using Kerberos as well.

Share this

Relevant Blogs

Exploring EDB SPL Check: A New Feature in EPAS 16

EDB Postgres Advanced Server (EPAS) has introduced a highly anticipated feature called EDB SPL Check in its 16th version. This extension is a boon for developers working with Stored Procedure...
December 18, 2023

More Blogs

AI, Postgres and You: A Vision for the Future

Let's talk about something I'm very excited about: tech. We’ve all seen tech inventions rise and fall fast in IT, and it's difficult to predict which inventions will make it...
November 14, 2023

What is pgvector and How Can It Help You?

There are a thousand ways (likely more) you can accelerate Postgres workloads. It all comes down to the way you store data, query data, how big your data is and...
November 03, 2023