Release 2 (9.2) for Windows
Part No. B10163-01
 Contents |
 Index |
|
Oracle9i Database Platform Guide
Release 2 (9.2) for Windows Part No. B10163-01 |
|
This chapter describes authentication of Oracle9i database users with Windows operating systems.
This chapter contains these topics:
Oracle9i database can use Windows user login credentials to authenticate database users. Benefits include:
Enabling users to connect to Oracle9i databases without supplying a username or password
Centralizing Oracle9i database user authentication and role authorization information in Windows NT or Windows 2000, which frees Oracle9i from storing or managing user passwords or role information
The Windows native authentication adapter (automatically installed with Oracle Net Services) enables database user authentication through Windows. This enables client computers to make secure connections to an Oracle9i database on a Windows server. The server then permits the user to perform database actions on the server.
|
Note: Current user database links are not supported with Windows native authentication. |
|
Note: This chapter describes using Windows native authentication methods with Windows 2000 and Windows NT 4.0. For information on Secure Sockets Layer (SSL) protocol and Oracle Internet Directory, see Oracle Advanced Security Administrator's Guide and Oracle Internet Directory Administrator's Guide. |
The Windows native authentication adapter works with Windows authentication protocols to enable access to your Oracle9i database.
Kerberos is the default authentication protocol for Windows 2000.
NT LAN Manager (NTLM) is the default protocol for Windows NT 4.0.
If the user is logged on as a Windows 2000 domain user from a Windows 2000 computer, then Kerberos is the authentication mechanism used by the NTS adapter.
For all other users (local users, Windows NT 4.0 domain users, Windows 95 users, and Windows 98 users), NTLM is the authentication mechanism used by the NTS adapter.
If authentication is set to NTS on a standalone Windows 2000 or Windows NT 4.0 computer, ensure that Windows service NT LM Security Support Provider is started. If this service is not started on a standalone Windows 2000 or Windows NT 4.0 computer, then NTS authentication fails. This issue is applicable only if you are running Windows 2000 or Windows NT 4.0 in standalone mode.
Client computers do not need to specify an authentication protocol when attempting a connection to an Oracle9i database. Instead, Oracle9i database determines the protocol to use, completely transparent to the user. The only Oracle requirement is to ensure that parameter SQLNET.AUTHENTICATION_SERVICES contains nts in the following file on both the client and database server:
ORACLE_BASE\ORACLE_HOME\network\admin\sqlnet.ora
This is the default setting for both after installation. For Oracle8 8.0 releases, you must manually set this value.
If typical, your Oracle9i database network includes client computers and database servers, and computers on this network may use different Oracle software releases on different Windows operating systems on different domains. For example, you may be running an Oracle release 8.0.5 client installed on Windows 95 that connects to an Oracle9i database installed on a Windows NT 4.0 computer that runs in a Windows 2000 domain. This combination of different releases means that the authentication protocol being used can vary.
Table 12-1 lists Oracle software and Windows operating system releases required to enable Kerberos as the default authentication protocol:
Table 12-1 Software Requirements to Enable Kerberos Authentication Protocol
| Location | Windows Software | Oracle Software |
|---|---|---|
| Client Computer | Windows NT 4.0 or Windows 2000 | Oracle8i Client or later |
| Database Computer | Windows NT 4.0 or Windows 2000 | Oracle8i Database or later |
| Domain | Windows 2000 | None |
For all other combinations of Windows operating system and Oracle software releases used in your network, the authentication protocol used is NTLM.
|
See Also: Microsoft Windows documentation for more information on each authentication protocol |
This section describes how user login credentials are authenticated and database roles are authorized in Windows NT 4.0 or Windows 2000 domains. User authentication and role authorization are defined in Table 12-2.
Table 12-2 User Authentication and Role Authorization Defined
| Feature | Description | More Information |
|---|---|---|
| User authentication | Process by which the database uses the user's Windows login credentials to authenticate the user. | Oracle9i Database Administrator's Guide |
| Role authorization | Process of granting an assigned set of roles to authenticated users. | Oracle9i Database Administrator's Guide |
Oracle supports user authentication and role authorization in Windows NT 4.0 domains. Table 12-3 provides descriptions of these basic features.
Table 12-3 Basic Features of User Authentication and Role Authorization
| Feature | Description |
|---|---|
| Authentication of external users | Users are authenticated by the database using the user's Windows login credentials enabling them to access Oracle9i database without being prompted for additional login credentials. |
| Authorization of external roles | Roles are authorized using Windows local groups. Once an external role is created, you can grant or revoke that role to a database user. Initialization parameter OS_ROLES is set to false by default. You must set OS_ROLES to true to authorize external roles.
|
For Oracle8i release 8.1.6 or later, enhancements were made to support enterprise user authentication and enterprise role authorization. Enhancements were also made to support Windows native authentication in Windows 2000 domains, and in Active Directory in addition to integration with Oracle Internet Directory. These enhancements are available only if you:
Configure Oracle8i release 8.1.6 or later release to work with Active Directory
Are running Oracle8i Client release 8.1.6 or later and Oracle8i database or later in a Windows 2000 domain
Enterprise user authentication (also called global user authentication) is enabled by setting registry parameter OSAUTH_X509_NAME to true on the computer on which Oracle9i database is running in a Windows 2000 domain. If this parameter is set to false (the default setting) in a Windows 2000 domain, then Oracle9i database authenticates the user as an external user (described in "Enterprise User Authentication"). Setting this parameter to true in a Windows NT 4.0 domain is meaningless and does not enable you to use enterprise users.
|
See Also: "Enterprise User Authentication" for more information on using registry parameterOSAUTH_X509_NAME
|
Table 12–4 describes user authentication and role authorization methods to use based on your Oracle9i database environment:
Table 12-4 User Authentication and Role Authorization Methods
| Method | Database Environment |
|---|---|
| Enterprise users and roles | You have many users connecting to multiple databases.
Enterprise users have the same identity across multiple databases. Enterprise users require use of a directory server. Use enterprise roles in environments where enterprise users assigned to these roles are located in many geographic regions and must access multiple databases. Each enterprise role can be assigned to more than one enterprise user in the directory. If you do not use enterprise roles, then you have to assign database roles manually to each database user. Enterprise roles require use of a directory server. |
| External users and roles | You have a smaller number of users accessing a limited number of databases. External users must be created individually in each database and do not require use of a directory server.
External roles must also be created individually in each database, and do not require use of a directory server. External roles are authorized using group membership of the users in local groups on the system. |
Oracle9i integration with Active Directory enables you to take advantage of operating system user authentication and role authorization. Perform the following tasks to integrate Oracle components with Active Directory:
Task 3: Start and Use Oracle Enterprise Security Manager
|
Note: Operating system user authentication and role authorization are available only if you are running in a Windows 2000 domain. |
Read "Using Enterprise User Security with Microsoft Active Directory" in Oracle Advanced Security Administrator's Guide and Oracle9i Database Installation Guide for Windows for information on pre-installation and configuration issues.
Set registry parameter OSAUTH_X509_NAME to true to enable client users to access Oracle9i database as X.509-compliant enterprise users. Active Directory will then be used to identify the client username and authorize roles. This parameter setting is required only if you want to use enterprise users and roles.
When the parameter is set to false (the default setting), the client user is identified as an external user, and the user's role authorization uses the Oracle9i database data dictionary.
To set registry parameter OSAUTH_X509_NAME:
Go to the computer on which Oracle9i database is installed.
Choose Start > Run.
Enter regedt32 in the Open field, and click OK.
The Registry Editor window appears.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID.
where ID is the Oracle home that you want to edit.
If registry value OSAUTH_X509_NAME exists, double-click OSAUTH_X509_NAME.
A String Editor dialog appears.
Otherwise, add OSAUTH_X509_NAME as a registry value of type REG_EXPAND_SZ.
Click Enter.
Set the value to true in the String field.
Click OK.
Choose Exit from the Registry menu.
Registry Editor exits.
Oracle Enterprise Security Manager is included as an integrated application with Oracle Enterprise Manager. You can use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains. You can also use it to assign enterprise users and groups to enterprise roles.
|
Note: Oracle Enterprise Manager can manage a 64-bit database from a remote 32-bit computer. For more information, see Appendix G, " Oracle9i Database for 64-Bit Windows". |
|
See Also: Oracle Advanced Security Administrator's Guide for information on using Oracle Enterprise Security Manager |
The administrator using Oracle Enterprise Security Manager must be a member of security group OracleDBSecurityAdmin. By default, the administrator who created the Oracle Context (that is, configured Oracle9i database to work with a directory server) is a member of this security group. Only members of this security group are authorized to use all features of Oracle Enterprise Security Manager. To add additional users manually, see "Access Control List Management for Oracle Directory Objects" in Oracle Advanced Security Administrator's Guide.
Select Login from the Directory Server main menu to access a dialog for selecting the authentication protocol appropriate to your environment. Choose NT Native Authentication if you are running an Oracle9i database on a Windows NT 4.0 or Windows 2000 computer in a Windows 2000 domain with Active Directory. Oracle Enterprise Security Manager automatically uses Windows native authentication if running in a Windows 2000 domain.
Choose Simple Authentication if the other available selections do not work. Simple authentication can be used with either Oracle Internet Directory or Active Directory, but it is less secure.
For information on the following topics, see "Using Enterprise User Security with Microsoft Active Directory" in Oracle Advanced Security Administrator's Guide:
LDAP and Active Directory Overview
Oracle9i Directory Server Features
Integration with Active Directory
Requirements for Using Oracle9i with Active Directory
Oracle9i Installation and Configuration with Active Directory
Testing Connectivity
Access Control List Management for Oracle Directory Objects
Creating Enterprise Domains
When you install Oracle9i database, a special Windows local group called ORA_DBA is created (if it does not already exist from an earlier Oracle installation), and your Windows username is automatically added to it. Members of local group ORA_DBA automatically receive the SYSDBA privilege.
Membership in ORA_DBA enables you to:
Connect to local Oracle9i databases without a password with the command
CONNECT / AS SYSDBA
Connect to remote Oracle9i databases without a password with the command
CONNECT /@net_service_name AS SYSDBA
where net_service_name is the net service name of the remote Oracle9i database
Perform database administration procedures such as starting and shutting down local databases
Add additional Windows users to ORA_DBA, enabling them to have the SYSDBA privilege
|
 Copyright © 2003 Oracle Corporation All rights reserved |
|