RE: Question about single-sign-on products
Date: Mon, 5 Feb 2018 10:38:13 +0000
Message-ID: <18595_1517827102_5A78341E_18595_216_1_ECDEF0CC6716EC4596FCBC871F48292AB1950E28_at_ZRH-S231>
Good point with regard to kvno.
What I mean by that is, in large organizations DBAs typically don’t have any control over issuing keytabs. In addition, kvno is handled entirely transparent in the Windows world, so the AD administrators usually don’t pay attention to it. At least, this was the case in our organization.
Luckily, sqlnet trace will show the discrepancy between AD and keytab kvno:
nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=0;Current keytype=23,kvno=2
Nenad
http://nenadnoveljic.com/blog/
From: Patrick Jolliffe [mailto:jolliffe_at_gmail.com]
Sent: Sonntag, 4. Februar 2018 09:42
To: sacrophyte_at_gmail.com; Jeff Chirco
Cc: ORACLE-L; Noveljic Nenad
Subject: Re: Question about single-sign-on products
Late to this, but +1 for what Noveljic has said.
I've just finished rolling out Windows Single Sign on to all our databases without too many hiccups.
Our databases are a mix of 11.2, 12.1 running on AIX and Linux.
Using Kerberos authentication, there's no need for any additional products or licensing costs to Oracle.
It works really neatly in combination with Proxy Authentication as well.
I haven't really blogged abut this (yet), there's a few resources scattered around the internet.
A few gotchas:
Use KERBEROS5PRE instead of KERBEROS5, the latter has some bugs still not fixed in 12.2
Be careful generating multiple keytabs against one service account that you don't increment kvno and invalidate previous keytabs.
Let me know if you have any issues, I may well have hit them already :)
Regards
Patrick
On 1 February 2018 at 23:44, Noveljic Nenad <nenad.noveljic_at_vontobel.com<mailto:nenad.noveljic_at_vontobel.com>> wrote: Actually, we’re on Solaris x86.
My teammate Balazs Berki documented the solutions for the issues we had hit when setting up the Kerberos AD authentication with Oracle databases in the following blog post: http://balazsberki.com/2016/08/oracle-single-sign-on-with-kerberos-pitfalls/ .
And yes, we got it working.
The feature has proven to be invaluable in an Oracle shop like ours with hundreds of database which get duplicated around, 30-days password expiry policies and many people connecting to them with developer tools.
Nenad
http://nenadnoveljic.com/blog/
From: Jeff Chirco [mailto:backseatdba_at_gmail.com<mailto:backseatdba_at_gmail.com>] Sent: Donnerstag, 1. Februar 2018 16:25 To: Noveljic Nenad; ORACLE-L
Subject: Re: Question about single-sign-on products
Hi Noveljic, wow did you get AD authentication to work? Do you have notes you could share. Also is your DB server on Windows or Linux? Thanks
On Thu, Feb 1, 2018 at 6:34 AM, Noveljic Nenad <nenad.noveljic_at_vontobel.com<mailto:nenad.noveljic_at_vontobel.com>> wrote: I can confirm that the Kerberos authentication with Active Directory is working smoothly. Though we had hit some issues when setting it up initially that were resolved by installing some additional Oracle patches. Our main goal was to get rid of the cumbersome database password authentication for developers. The upside is that you don’t need any additional Oracle products to that. On the downside, the roles still have to be managed within each individual database separately.
Nenad
http://nenadnoveljic.com/blog/
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>] On Behalf Of Niall Litchfield
Sent: Donnerstag, 1. Februar 2018 10:29
To: Charles Schultz
Cc: ORACLE-L
Subject: Re: Question about single-sign-on products
We are in the process of implementing Enterprise User Security<https://docs.oracle.com/database/121/DBIMI/toc.htm> where the authentication is done via the Kerberos tickets you get at windows logon. That requires a purchase of Directory Services Plus licenses (if you don't already have them or OID licenses). It no longer requires the advanced security option though. Engineering the solution was relatively straightforward once you get your head around the moving parts. The biggest challenge is the need to understand the new security model and to determine the best roles and groups etc for your users. It would also be possible to merely use Kerberos or SSL authentication as strong authentication<https://docs.oracle.com/database/121/DBSEG/strong_auth.htm#DBSEG491> (and SSO) for your individual database users.
On Wed, Jan 31, 2018 at 7:14 PM, Charles Schultz <sacrophyte_at_gmail.com<mailto:sacrophyte_at_gmail.com>> wrote: Good day,
Just putting out feelers to see what experiences folks have had with various single-sign-on packages. We have a mix of Oracle and MS SQL Server, and use Active Directory a bit for the MS stuff.
Thanks in advance,
--
Charles Schultz
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
Please consider the environment before printing this e-mail. Bitte denken Sie an die Umwelt, bevor Sie dieses E-Mail drucken.
Important Notice
This message is intended only for the individual named. It may contain confidential or privileged information. If you are not the named addressee you should in particular not disseminate, distribute, modify or copy this e-mail. Please notify the sender immediately by e-mail, if you have received this message by mistake and delete it from your system.
E-mail transmission may not be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete. Also processing of incoming e-mails cannot be guaranteed. All liability of the Vontobel Group and its affiliates for any damages resulting from e-mail use is excluded. You are advised that urgent and time sensitive messages should not be sent by e-mail and if verification is required please request a printed version.
Important Notice
This message is intended only for the individual named. It may contain confidential or privileged information. If you are not the named addressee you should in particular not disseminate, distribute, modify or copy this e-mail. Please notify the sender immediately by e-mail, if you have received this message by mistake and delete it from your system.
E-mail transmission may not be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete. Also processing of incoming e-mails cannot be guaranteed. All liability of the Vontobel Group and its affiliates for any damages resulting from e-mail use is excluded. You are advised that urgent and time sensitive messages should not be sent by e-mail and if verification is required please request a printed version.
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">p { font-family: Arial;font-size:9pt }</style>
</head>
<body>
<p>
<br>Important Notice</br>
<br>This message is intended only for the individual named. It may contain confidential or privileged information. If you are not the named addressee you should in particular not disseminate, distribute, modify or copy this e-mail. Please notify the sender immediately by e-mail, if you have received this message by mistake and delete it from your system.</br>
<br>E-mail transmission may not be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete. Also processing of incoming e-mails cannot be guaranteed. All liability of the Vontobel Group and its affiliates for any damages resulting from e-mail use is excluded. You are advised that urgent and time sensitive messages should not be sent by e-mail and if verification is required please request a printed version.<br/>
</p>
</body>
</html>
-- http://www.freelists.org/webpage/oracle-lReceived on Mon Feb 05 2018 - 11:38:13 CET