Problem solve Get help with specific problems with your technologies, process and projects.

Working with Kerberos in Active Directory

I hope this is not a dumb question but we are a Windows shop and we will be switching to Active Directory real soon. I did some checking and we will be using Kerberos authentication, I know I will have to make some changes to our Oracle client machines and I think I will have to make changes at the database servers as well. I reviewed Oracle8i Advanced Security Administrator's Guide, primarly Chapter 6. I have never had to set this up before and am confused by the documentation.

My question is two fold: What exactly do I need to do to enable Oracle to work with Kerberos in Active Directory? We have a mix of client machines most use Oracle 8.0.6 but we do have some 7.3.4 clients as well as 8i clients. Will the changes mentioned in the 8i documentation work with earlier client versions? I hope I have stated my problem clearly and apologize if I have not. Any and all help would be greatly appreciated!
Oracle's OS authentication on Windows forces the database to "trust" that the client system has performed authentication of the user and, therefore, the database does not require additional authentication. This behavior allows users to access two-tier database applications using their Windows credentials without an additional username/password for their database logon.

There is no special requirement from Oracle that forces you to integrate your Active Directory/Kerberos logons with database logons. If you're one of the few that are using some sort of OS-based database authentication now, then Kerberos integration may be your next logical step. If you are using standard database username/password authentication, introducing Active Directory into your environment will not require you to change anything.

Interoperability between Oracle Advanced Security's Kerberos authentication adapter and MS Active Directory has been available since, and 9.2.0. However, you were still required to issue the initialization command manually to retrieve your credentials from the MS KDC using the okinit command that came with Oracle ASO.

Integration with the desktop login for Windows 2000 finally arrived in which allowed you to skip the manual okinit step and use the kerberos tickets that Windows already obtains during a normal Windows login. I have tested this with a database server on Solaris and Windows 2000 clients (the clients have to be AD-authenticated Windows 2000 or later, but server can be just about any platform) and it works pretty well if you have two-tier applications. This type of authentication does not make much sense if you're not connecting directly to a database (i.e. two-tier).

Note that the Kerberos authentication adapter is a component of the Oracle Advanced Security Option (ASO). ASO is a separately licensed component (even though it may be delivered on the same CDs) that most sites do not typically purchase, so make sure you're properly licensed before installing and using it.

The best starting points for information on Kerberos and Microsoft AD integration are two NOTEs on Metalink:
158599.1 Oracle Advanced Security: Interoperability with Microsoft KDC on Windows 2000
218275.1 Using Windows Domain Login for Oracle Kerberos Authentication with Microsoft Active Directory

Dig Deeper on Oracle database security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.