Oracle® Database Platform Guide 10g Release 1 (10.1) for Windows Part Number B10113-02 |
|
|
View PDF |
This chapter describes authentication of Oracle Database users with Windows operating systems.
This chapter contains these topics:
Oracle Database can use Windows user login credentials to authenticate database users. Benefits include:
Enabling users to connect to Oracle Database without supplying a username or password
Centralizing Oracle Database user authentication and role authorization information in Windows NT or Windows 2000, which frees Oracle Database from storing or managing user passwords or role information
The Windows native authentication adapter (automatically installed with Oracle Net Services) enables database user authentication through Windows. This enables client computers to make secure connections to Oracle Database on a Windows server. The server then permits the user to perform database actions on the server.
Note: Current user database links are not supported with Windows native authentication. |
Note: This chapter describes using Windows native authentication methods with Windows 2000 and Windows NT 4.0. For information on Secure Sockets Layer (SSL) protocol and Oracle Internet Directory, see Oracle Advanced Security Administrator's Guide and Oracle Internet Directory Administrator's Guide. |
The Windows native authentication adapter works with Windows authentication protocols to enable access to Oracle Database.
Kerberos is the default authentication protocol for Windows 2000.
NT LAN Manager (NTLM) is the default protocol for Windows NT 4.0.
If the user is logged on as a Windows 2000 domain user from a Windows 2000 computer, then Kerberos is the authentication mechanism used by the NTS adapter.
For all other users, NTLM is the authentication mechanism used by the NTS adapter.
If authentication is set to NTS on a standalone Windows 2000 or Windows NT 4.0 computer, ensure that Windows service NT LM Security Support Provider is started. If this service is not started on a standalone Windows 2000 or Windows NT 4.0 computer, then NTS authentication fails. This issue is applicable only if you are running Windows 2000 or Windows NT 4.0 in standalone mode.
Client computers do not need to specify an authentication protocol when attempting a connection to Oracle Database. Instead, Oracle Database determines the protocol to use, completely transparent to the user. The only Oracle Database requirement is to ensure that parameter SQLNET.AUTHENTICATION_SERVICES
contains nts
in the following file on both the client and database server:
ORACLE_BASE\ORACLE_HOME\network\admin\sqlnet.ora
This is the default setting for both after installation. For Oracle8 release 8.0.x releases, you must manually set this value.
If typical, your Oracle Database network includes client computers and database servers, and computers on this network may use different Oracle Database software releases on different Windows operating systems on different domains. This combination of different releases means that the authentication protocol being used can vary.
Table 8-1 lists Oracle Database software and Windows operating system releases required to enable Kerberos as the default authentication protocol:
Table 8-1 Software Requirements to Enable Kerberos Authentication Protocol
Location | Windows Software | Oracle Database Software |
---|---|---|
Client Computer | Windows NT 4.0 or Windows 2000 | Oracle8i Client or later |
Database Computer | Windows NT 4.0 or Windows 2000 | Oracle8i Database or later |
Domain | Windows 2000 | None |
For all other combinations of Windows operating system and Oracle Database software releases used in your network, the authentication protocol used is NTLM.
See Also: Your operating system documentation for more information on each authentication protocol |
This section describes how user login credentials are authenticated and database roles are authorized in Windows NT 4.0 or Windows 2000 domains. User authentication and role authorization are defined in Table 8-2.
Table 8-2 User Authentication and Role Authorization Defined
Feature | Description | More Information |
---|---|---|
User authentication | Process by which the database uses the user's Windows login credentials to authenticate the user. | Oracle Database 2 Day DBA |
Role authorization | Process of granting an assigned set of roles to authenticated users. | Oracle Database 2 Day DBA |
Oracle Database supports user authentication and role authorization in Windows NT 4.0 domains. Table 8-3 provides descriptions of these basic features.
Table 8-3 Basic Features of User Authentication and Role Authorization
Feature | Description |
---|---|
Authentication of external users |
Users are authenticated by the database using the user's Windows login credentials enabling them to access Oracle Database without being prompted for additional login credentials. |
Authorization of external roles |
Roles are authorized using Windows local groups. Once an external role is created, you can grant or revoke that role to a database user. Initialization parameter |
Table 12–4 describes user authentication and role authorization methods to use based on your Oracle Database environment:
Table 8-4 User Authentication and Role Authorization Methods
Method | Database Environment |
---|---|
Enterprise users and roles |
You have many users connecting to multiple databases. Enterprise users have the same identity across multiple databases. Enterprise users require use of a directory server. Use enterprise roles in environments where enterprise users assigned to these roles are located in many geographic regions and must access multiple databases. Each enterprise role can be assigned to more than one enterprise user in the directory. If you do not use enterprise roles, then you have to assign database roles manually to each database user. Enterprise roles require use of a directory server. |
External users and roles |
You have a smaller number of users accessing a limited number of databases. External users must be created individually in each database and do not require use of a directory server. External roles must also be created individually in each database, and do not require use of a directory server. External roles are authorized using group membership of the users in local groups on the system. |
See Also: Oracle Advanced Security Administrator's Guide for more information on Enterprise users and roles |
When you install Oracle Database, a special Windows local group called ORA_DBA
is created (if it does not already exist from an earlier Oracle Database installation), and your Windows username is automatically added to it. Members of local group ORA_DBA
automatically receive the SYSDBA privilege.
Membership in ORA_DBA
enables you to:
Connect to local Oracle Database servers without a password with the command
CONNECT / AS SYSDBA
Connect to remote Oracle Database servers without a password with the command
CONNECT /@net_service_name AS SYSDBA
where net_service_name
is the net service name of the remote Oracle Database server
Perform database administration procedures such as starting and shutting down local databases
Add additional Windows users to ORA_DBA
, enabling them to have the SYSDBA
privilege