Kerberos Support in pgAdmin 4

March 01, 2021

The pgAdmin team has been receiving requests from users to support Kerberos Authentication for quite some time and as a result, we have decided to implement it.

The work has been divided into 2 phases. The first phase adds pluggable Kerberos authentication in the pgAdmin Server (multi user) mode using GSSAPI and SPNEGO, similar to the existing LDAP support. The web browser and the pgAdmin web server negotiate Kerberos as a security mechanism through SPNEGO and exchange tickets as SPNEGO tokens over HTTPS and which will bypass the pgAdmin login page entirely if the Kerberos authentication succeeds.

The first phase has been released in pgAdmin 4 v4.30 and the work is in progress for the second phase which will connect to PostgreSQL servers using Kerberos Delegated Credentials.

The configuration for Kerberos in pgAdmin is not tough and I have put together this guide to help you to configure pgAdmin with Kerberos in your environment.

The following instructions assume that the Kerberos Server is already set up and the ticket generation for the pgAdmin login user is done. pgAdmin uses the ticket from the client machine’s credential cache. The pgAdmin installers have taken care of installing the appropriate libraries for Kerberos but you need to create a krb5.conf file with the appropriate settings as per your environment.

Configure pgAdmin to Support Kerberos

The first step is to configure pgAdmin to support Kerberos authentication in Server (multi user) mode.

To enable it in pgAdmin, set the parameters below in or (see the documentation) on the system where pgAdmin server is installed.


To enable Kerberos support, you need to add the 'kerberos' in the list.


Set it to True if you want to automatically create a pgAdmin user corresponding to the Kerberos user once authentication succeeds.


Specify the pgAdmin server host name. It is an optional parameter; if it’s not set then it will take the same value as DEFAULT_SERVER pgAdmin parameter.


Keytab file location for HTTP Service, an optional parameter.

Below is the sample code snippet from


    # Kerberos Configurations





    KRB_KTNAME = '/etc/pgadmin4/pgadmin.keytab'


Throughout the document let’s assume your pgAdmin server hostname is and your Kerberos realm is DOMAIN.ORG

Keytab File for HTTP Service Principal

The second step is to generate the keytab file for the HTTP service principal for the pgAdmin web server. After creating HTTP principal HTTP/<host-name>@realm, generate the keytab file.

        ktadd -k pgadmin.keytab HTTP/

This command should create the keytab file named pgadmin.keytab, copy this file to the machine where pgAdmin web server is running. Ensure that the operating system user owning the pgAdmin web server is the owner of this file and the file is accessible to that user. For example, if your pgAdmin is running under apache on Ubuntu with www-data user, the owner of the keytab file should be www-data.

The next thing is to set the location of the keytab file, so the pgAdmin server can use that while the authentication process.

You can choose any of the following ways to set the Keytab file location:

  1. Set the default_keytab_name parameter in krb5.conf file
  2. Set the environment variable KRB5_KTNAME
  3. Explicitly set KRB_KTNAME in the pgAdmin or

Note that if more than one option is set then the key tab will be used in the descending order of priority.

Configure the Browser to support SPNEGO

The next step is to configure the browser to support SPNEGO, which is responsible for forwarding the Kerberos ticket to the pgAdmin web server over HTTPS.

Below are the steps to configure Mozilla Firefox:

  • Open the low level Firefox configuration page by loading the about:config page.
  • In the Search text box, enter: network.negotiate-auth.trusted-uris
  • Double-click the network.negotiate-auth.trusted-uris preference and enter the hostname or the domain of the pgAdmin web server
  • Click OK.

Check the documentation for the equivalent process for your browser if you're not using Firefox.

Configure Apache

If the pgAdmin server is running under the Apache Server, then you need to add the following parameters in Directory directive of Apache HTTPD Configuration:

  • WSGIScriptReloading On
  • WSGIPassAuthorization On

For example:



             WSGIScriptReloading On

             WSGIPassAuthorization On





Having configured pgAdmin as described, you should now be able to login to a remote pgAdmin server without having to supply a username and password; your authentication information will be provided by the browser automatically.

Look out for the second phase of this project in a future release which will allow authentication to the PostgreSQL servers you manage with pgAdmin to be handled using Kerberos as well.

Share this

Relevant Blogs

pgAdmin User Management in Server Mode

pgAdmin can be deployed as a web application by configuring the app to run in server mode. One can check out server deployment on how to run pgAdmin in...
August 24, 2023

pgAdmin CI/CD

Almost exactly three years ago I wrote a blog on my personal page entitled Testing pgAdmin which went into great detail discussing how we test pgAdmin prior to releases. Back...
August 24, 2023

More Blogs

EDB Postgres Advanced Server 15 TPS Benchmark

Overview There is often a need to increase the count of user-base connected to an application mainly due to business requirements due to factors such as business growth and addition...
August 22, 2023

Guide to ANY_VALUE() Functionality in PostgreSQL 16

Introduction The demand for effective and robust database management solutions has never been higher as businesses continue to produce and analyze enormous amounts of data. One of the top relational...
August 08, 2023