Oracle9i Network, Directory, and Security Guide Release 1 (9.0.1) for Windows Part Number A90165-01 |
|
This chapter describes authentication of Oracle9i database users with Windows operating systems.
This chapter contains these topics:
The Oracle9i database can use Windows user login credentials to authenticate database users. The benefits include:
The Windows native authentication adapter (automatically installed with Oracle Net Services) enables database user authentication through Windows NT or Windows 2000. This enables client computers to make secure connections to an Oracle9i database on a Windows NT or Windows 2000 server. The server then permits the user to perform the database actions on the server.
Note: This chapter describes using Windows native authentication methods with Windows NT 4.0 and Windows 2000. For information on the Secure Socket Layer (SSL) protocol and Oracle Internet Directory, see Oracle Advanced Security Administrator's Guide and Oracle Internet Directory Administrator's Guide. |
The Windows native authentication adapter works with Windows authentication protocols to enable access to your Oracle9i database.
If the user is logged on as a Windows 2000 domain user from a Windows 2000 computer, then Kerberos is the authentication mechanism used by the NTS adapter.
For all other users (local users, Windows NT 4.0 domain users, Windows 95 users, and Windows 98 users), NTLM is the authentication mechanism used by the NTS adapter.
If the authentication is set to NTS, on a standalone Windows 2000 or Windows NT 4.0 computer, ensure that the Windows Service NT LM Security Support Provider is started. If this service is not started on a standalone Windows 2000 or Windows NT 4.0 computer, NTS authentication fails. This issue is applicable only if you are running Windows 2000 or Windows NT 4.0 in standalone mode.
Client computers do not need to specify an authentication protocol when attempting a connection to an Oracle9i database. Instead, the Oracle9i database determines the protocol to use, completely transparent to the user. The only Oracle requirement is to ensure that SQLNET.AUTHENTICATION_SERVICES
parameter contains nts
in the ORACLE_BASE\ORACLE_HOME\
network\admin\sqlnet.ora
file on both the client and database server (this is the default setting for both after installation). For Oracle8 8.0 releases, you must manually set this value.
An Oracle9i database network typically includes client computers and database servers. The computers on this network may use different Oracle software releases on different Windows operating systems on different domains. For example, you may be running an Oracle release 8.0.5 client installed on Windows 95 that connects to an Oracle9i database installed on a Windows NT 4.0 computer that runs in a Windows 2000 domain. This combination of different releases means that the authentication protocol being used can vary.
Table 1-1 lists the Oracle software and Windows operating system releases required to enable Kerberos as the default authentication protocol:
For The... | This Windows Software is Required... | This Oracle Software is Required... |
---|---|---|
Client Computer |
||
Database Computer |
||
Domain |
For all other combinations of Windows operating system and Oracle software releases used in your network, the authentication protocol used is NTLM.
This section describes how user login credentials are authenticated and database roles are authorized in Windows NT 4.0 or Windows 2000 domains. User authentication and role authorization are defined in Table 1-2.
Feature | Description | More Information |
---|---|---|
User authentication |
The process by which the database uses the user's Windows login credentials to authenticate the user. |
|
Role authorization |
The process of granting an assigned set of roles to authenticated users. |
Oracle supports user authentication and role authorization in Windows NT 4.0 domains. Table 1-3 provides descriptions of these basic features.
Feature | Description |
---|---|
Authentication of external users |
Users are authenticated by the database using the user's Windows login credentials that enable them to access the Oracle database without being prompted for additional login credentials. |
Authorization of external roles |
Roles are authorized using Windows NT local groups. Once an external role is created, you can grant or revoke that role to a database user. The |
For Oracle8i release 8.1.6 or later, enhancements were made to support enterprise user authentication and enterprise role authorization. Enhancements were also made to support Windows native authentication in Windows 2000 domains, and in Active Directory in addition to integration with Oracle Internet Directory. These enhancements are available only if you:
Enterprise user authentication (also called global user authentication) is enabled by setting the OSAUTH_X509_NAME
registry parameter to true
on the computer on which the Oracle9i database is running in a Windows 2000 domain. If this parameter is set to false
(the default setting) in a Windows 2000 domain, then the Oracle9i database authenticates the user as an external user (described in "Enterprise User Authentication"). Setting this parameter to true
in a Windows NT 4.0 domain is meaningless and does not enable you to use enterprise users.
See Also:
"Enterprise User Authentication" for more information on using the |
Table 1-4 describes user authentication and role authorization methods to use based on your Oracle9i database environment:
This integration enables you to take advantage of the user authentication and role authorization. Note that these enhancements are only available if you are running in a Windows 2000 domain. Perform the following tasks to integrate Oracle components with Active Directory.
Read Chapter 4, "Using Oracle9i Directory Server Features with Active Directory" and the Oracle9i Database installation guide for Windows for information on pre-installation and configuration issues.
OSAUTH_X509_NAME
Registry Parameter
Set the OSAUTH_X509_NAME
registry parameter to enable client users to access the Oracle9i database as X.509-compliant enterprise users. This parameter is required only if you want to use enterprise users and roles.
To set the OSAUTH_X509_NAME
registry parameter:
regedt32
in the Open field, and choose OK.
The registry editor window appears.
HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOME
ID
.
where ID
is the Oracle home that you want to edit.
OSAUTH_X509_NAME
exists, double-click OSAUTH_X509_NAME
.
A String Editor dialog box appears.
Otherwise, add OSAUTH_X509_NAME
as a registry value of type REG_EXPAND_SZ
.
true
in the String field.
The registry editor exits.
Use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains, and assign enterprise users and groups to enterprise roles.
Oracle Enterprise Security Manager is included as an integrated application with Oracle Enterprise Manager. The subsequent procedures describe Windows-unique features for using Oracle Enterprise Security Manager in a Windows 2000 domain.
See Also:
Oracle Advanced Security Administrator's Guide for information on using the Oracle Enterprise Security Manager |
To use Oracle Enterprise Security Manager:
When you install the Oracle9i database, your Windows username is automatically added to a Windows NT local group called ORA_DBA
. The ORA_DBA
local group is:
SYSDBA
privilege.
This enables you to:
CONNECT / AS SYSDBA
CONNECT /@
net_service_name
AS SYSDBA
where net_service_name
is the net service name of the Oracle9i database to which to connect.
ORA_DBA
, enabling them to have the SYSDBA
privilege, provided you have Administrator privileges
|
Copyright © 1996-2001, Oracle Corporation. All Rights Reserved. |
|