1
Authenticating Database Users with Windows

This chapter describes authentication of Oracle9i database users with Windows operating systems.

This chapter contains these topics:

• Windows Native Authentication Overview

• Windows Authentication Protocols

• User Authentication and Role Authorization Methods

• Automatically Enabling Operating System Authentication During Installation

Windows Native Authentication Overview

The Oracle9i database can use Windows user login credentials to authenticate database users. The benefits include:

• Enabling users to connect to Oracle9i databases without supplying a username or password

• Centralizing Oracle9i database user authentication and role authorization information in Windows NT or Windows 2000, which frees Oracle9i from storing or managing user passwords or role information

The Windows native authentication adapter (automatically installed with Oracle Net Services) enables database user authentication through Windows NT or Windows 2000. This enables client computers to make secure connections to an Oracle9i database on a Windows NT or Windows 2000 server. The server then permits the user to perform the database actions on the server.

Note: This chapter describes using Windows native authentication methods with Windows NT 4.0 and Windows 2000. For information on the Secure Socket Layer (SSL) protocol and Oracle Internet Directory, see Oracle Advanced Security Administrator's Guide and Oracle Internet Directory Administrator's Guide.

Windows Authentication Protocols

The Windows native authentication adapter works with Windows authentication protocols to enable access to your Oracle9i database.

• Kerberos is the default authentication protocol for Windows 2000.

• NT LAN Manager (NTLM) is the default protocol for Windows NT 4.0.

If the user is logged on as a Windows 2000 domain user from a Windows 2000 computer, then Kerberos is the authentication mechanism used by the NTS adapter.

For all other users (local users, Windows NT 4.0 domain users, Windows 95 users, and Windows 98 users), NTLM is the authentication mechanism used by the NTS adapter.

If the authentication is set to NTS, on a standalone Windows 2000 or Windows NT 4.0 computer, ensure that the Windows Service NT LM Security Support Provider is started. If this service is not started on a standalone Windows 2000 or Windows NT 4.0 computer, NTS authentication fails. This issue is applicable only if you are running Windows 2000 or Windows NT 4.0 in standalone mode.

Client computers do not need to specify an authentication protocol when attempting a connection to an Oracle9i database. Instead, the Oracle9i database determines the protocol to use, completely transparent to the user. The only Oracle requirement is to ensure that SQLNET.AUTHENTICATION_SERVICES parameter contains nts in the ORACLE_BASE\ORACLE_HOME\network\admin\sqlnet.ora file on both the client and database server (this is the default setting for both after installation). For Oracle8 8.0 releases, you must manually set this value.

An Oracle9i database network typically includes client computers and database servers. The computers on this network may use different Oracle software releases on different Windows operating systems on different domains. For example, you may be running an Oracle release 8.0.5 client installed on Windows 95 that connects to an Oracle9i database installed on a Windows NT 4.0 computer that runs in a Windows 2000 domain. This combination of different releases means that the authentication protocol being used can vary.

Table 1-1 lists the Oracle software and Windows operating system releases required to enable Kerberos as the default authentication protocol:

Table 1-1 Software Requirements to Enable the Kerberos Authentication Protocol

For The...	This Windows Software is Required...	This Oracle Software is Required...
Client Computer	Windows NT 4.0 Windows 2000	Oracle8i Client or later
Database Computer	Windows NT 4.0 Windows 2000	Oracle8i database or later
Domain	Windows 2000	None

For all other combinations of Windows operating system and Oracle software releases used in your network, the authentication protocol used is NTLM.

See Also: Microsoft Windows documentation for more information on each authentication protocol

User Authentication and Role Authorization Methods

This section describes how user login credentials are authenticated and database roles are authorized in Windows NT 4.0 or Windows 2000 domains. User authentication and role authorization are defined in Table 1-2.

Table 1-2 User Authentication and Role Authorization Defined

Feature	Description	More Information
User authentication	The process by which the database uses the user's Windows login credentials to authenticate the user.	Oracle9i Database Administrator's Guide
Role authorization	The process of granting an assigned set of roles to authenticated users.	Oracle9i Database Administrator's Guide

Oracle supports user authentication and role authorization in Windows NT 4.0 domains. Table 1-3 provides descriptions of these basic features.

Table 1-3 Basic Features of User Authentication and Role Authorization

Feature	Description
Authentication of external users	Users are authenticated by the database using the user's Windows login credentials that enable them to access the Oracle database without being prompted for additional login credentials.
Authorization of external roles	Roles are authorized using Windows NT local groups. Once an external role is created, you can grant or revoke that role to a database user. The init.ora parameter OS_ROLES is set to false by default. You must set OS_ROLES to true to authorize external roles.

For Oracle8i release 8.1.6 or later, enhancements were made to support enterprise user authentication and enterprise role authorization. Enhancements were also made to support Windows native authentication in Windows 2000 domains, and in Active Directory in addition to integration with Oracle Internet Directory. These enhancements are available only if you:

• Configure Oracle8i release 8.1.6 or later release to work with Active Directory

• Are running Oracle8i Client release 8.1.6 or later and Oracle8i database or later in a Windows 2000 domain

Enterprise user authentication (also called global user authentication) is enabled by setting the OSAUTH_X509_NAME registry parameter to true on the computer on which the Oracle9i database is running in a Windows 2000 domain. If this parameter is set to false (the default setting) in a Windows 2000 domain, then the Oracle9i database authenticates the user as an external user (described in "Enterprise User Authentication"). Setting this parameter to true in a Windows NT 4.0 domain is meaningless and does not enable you to use enterprise users.

See Also: "Enterprise User Authentication" for more information on using the OSAUTH_X509_NAME registry parameter.

Authentication and Authorization Methods To Use

Table 1-4 describes user authentication and role authorization methods to use based on your Oracle9i database environment:

Table 1-4 User Authentication and Role Authorization Methods

Use...	When...
Enterprise users and roles	You have many users connecting to multiple databases. Enterprise users have the same identity across multiple databases. Enterprise users require the use of a directory server. Use enterprise roles in environments where enterprise users assigned to these roles are located in many geographic regions and must access multiple databases. Each enterprise role can be assigned to more than one enterprise user in the directory. If you do not use enterprise roles, then you have to assign database roles manually to each database user. Enterprise roles require the use of a directory server.
External users and roles	You have a smaller number of users accessing a limited number of databases. External users must be created individually in each database, and do not require the use of a directory server. External roles must also be created individually in each database, and do not require the use of a directory server. External roles are authorized using group membership of the users in the local groups on the system.

Oracle9i Integration with Active Directory

This integration enables you to take advantage of the user authentication and role authorization. Note that these enhancements are only available if you are running in a Windows 2000 domain. Perform the following tasks to integrate Oracle components with Active Directory.

• Task 1: Install and Configure Components

• Task 2: Set the OSAUTH_X509_NAME Registry Parameter

• Task 3: Start and Use Oracle Enterprise Security Manager

Task 1: Install and Configure Components

Read Chapter 4, "Using Oracle9i Directory Server Features with Active Directory" and the Oracle9i Database installation guide for Windows for information on pre-installation and configuration issues.

Task 2: Set the OSAUTH_X509_NAME Registry Parameter

Set the OSAUTH_X509_NAME registry parameter to enable client users to access the Oracle9i database as X.509-compliant enterprise users. This parameter is required only if you want to use enterprise users and roles.

Set This Parameter On...

Description

An Oracle9i database computer running in a Windows 2000 domain

When set to true, this parameter enables a client username to be identified as an X.509-compliant enterprise username when connecting to an Oracle9i database through Active Directory. A user's role authorization is done using Active Directory. When set to false (the default setting), the client user is identified as an external user and a user's role authorization is done using the Oracle9i database data dictionary.

To set the OSAUTH_X509_NAME registry parameter:

1. Go to the computer on which the Oracle9i database is installed.

2. Choose Start > Run.

3. Enter regedt32 in the Open field, and choose OK.

   The registry editor window appears.

4. Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID.

   where ID is the Oracle home that you want to edit.

5. If the registry value OSAUTH_X509_NAME exists, double-click OSAUTH_X509_NAME.

   A String Editor dialog box appears.

   Otherwise, add OSAUTH_X509_NAME as a registry value of type REG_EXPAND_SZ.

6. Choose Enter.

7. Set the value to true in the String field.

8. Choose OK.

9. Choose Exit from the Registry menu.

   The registry editor exits.

Task 3: Start and Use Oracle Enterprise Security Manager

Use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains, and assign enterprise users and groups to enterprise roles.

Oracle Enterprise Security Manager is included as an integrated application with Oracle Enterprise Manager. The subsequent procedures describe Windows-unique features for using Oracle Enterprise Security Manager in a Windows 2000 domain.

See Also: Oracle Advanced Security Administrator's Guide for information on using the Oracle Enterprise Security Manager

To use Oracle Enterprise Security Manager:

1. Choose Start > Programs > Oracle - HOME NAME > Configuration and Migration Tools > Enterprise Security Manager.

2. Use the online help and instructions in Oracle Advanced Security Administrator's Guide to use this tool.

3. Review the following issues for using Active Directory.
   • The administrator using Oracle Enterprise Security Manager must be a member of the security group OracleDBSecurityAdmin. By default, the administrator who created the Oracle Context (that is, configured the Oracle9i database to work with a directory server) is a member of this security group. Only members of this security group are authorized to use all features of Oracle Enterprise Security Manager. To manually add additional users, see "Access Control List Management for Oracle Directory Objects" for information.

   • Select Login from the Directory Server main menu to access a dialog box for selecting the authentication protocol appropriate to your environment:

     Select...	If...
     NT Native Authentication	Running an Oracle9i database on a Windows NT 4.0 or Windows 2000 computer in a Windows 2000 domain with Active Directory. Oracle Enterprise Security Manager automatically uses Windows native authentication if running in a Windows 2000 domain.
     Simple Authentication	The other available selections do not work. Simple authentication can be used with either Oracle Internet Directory or Active Directory, but is also less secure.

Automatically Enabling Operating System Authentication During Installation

When you install the Oracle9i database, your Windows username is automatically added to a Windows NT local group called ORA_DBA. The ORA_DBA local group is:

• Automatically created when the Oracle9i database is installed.

• A special Windows NT local group whose members automatically receive the SYSDBA privilege.

This enables you to:

• Connect to any local Oracle9i databases without a password by issuing commands such as the following:

  CONNECT / AS SYSDBA

• Connect to remote Oracle9i databases without a password by issuing a command such as the following:

  CONNECT /@net_service_name AS SYSDBA

  where net_service_name is the net service name of the Oracle9i database to which to connect.

• Perform local or remote database administration procedures such as starting and shutting down local databases

• Add additional Windows NT users to ORA_DBA, enabling them to have the SYSDBA privilege, provided you have Administrator privileges