Windows Native Authentication

From: Niels Jespersen <NJN_at_dst.dk>
Date: Tue, 8 Mar 2016 11:25:30 +0000
Message-ID: <3967181ED595B445B1E39718204FD4BD9F71FF79_at_SRVEXC5.dst.local>

I have the following:

Oracle Database 12.1.0.2.10 EE on Windows Server 2012. Oracle Services runs as a domain user in a Windows 2008 domain.

On the client Windows Server (app-server in the same domain) runs an application via terminal services. This uses Oracle 11.2 64-bit client. Sqlnet.ora in both ends has SQLNET.AUTHENTICATION_SERVICES=(NTS) in them. Users are in the database as identified externally.

Under normal circumstances (when they are logged on to the server using terminal services), this works great. Osuser shows up in v$session as expected. Users log in equivalent to sqlplus /_at_db.

But the application has a mode, where a app-client connects to the app-server using a private protocol. On the app-server it Windows-impersonates the end-user. In this case native Windows Authentication fails. If you log in authenticated by database, then osuser in v$session is ANONYMOUS LOGON.

This I could understand, if the authentication protocol was NTLM (which does not support impersonation). But, I think the authentication protocol should be Kerberos, especially since according to the Windows Platform Guide:

"Starting with Oracle Database 12c Release 1 (12.1), the NTS authentication adapter no longer supports the use of NTLM to authenticate Windows domain users. Thus the NTS cannot be used to authenticate users in old Windows NT domains or domains with old Windows NT domain controllers. However, local connections and Oracle Database services running as a Windows Local User continues to be authenticated using NTLM."

If I run a homemade-program to print the fields of System.Security.Principal.WindowsIdentity they look exactly the same in working and non-working cases:

User name: DOMAINXX\yyy
Authentication type: Kerberos
IsAuthenticated: True
IsSystem: False
Owner: S-1-5-21-2031436270-1089497111-1341851473-23095 User: S-1-5-21-2031436270-1089497111-1341851473-23095 RoleClaimType: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid NameClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name IsGuest: False
IsAnonymous: False
Label:
ImpersonationLevel: None

Is my thinking off? Any thoughts?

Regards Niels

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 08 2016 - 12:25:30 CET

This message: [ Message body ]
Next message: Sayan Malakshinov: "Re: auditing CPU usage"
Previous message: De DBA: "auditing CPU usage"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message