2 The following is intended to outline our general product direction The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3 Oracle Database Integration with Active Directory and Windows Security Christian ShayPrincipal Product Manager, Windows TechnologiesOracle USA
4 <Insert Picture Here> Agenda<Insert Picture Here>Database Registration and Name ResolutionSingle Sign-OnWindows Native AuthenticationKerberosSecurity Integration for .NET ApplicationsEnterprise User Security and Virtual Directory
5 Database Registration and Name Resolution Overview Store and resolve Net names through Active DirectoryEliminate tnsnames.ora on clientsCentralize configuration, reduce administrationAuthenticated connection to Active Directory (11g)AD no longer needs to allow anonymous accessEnhanced tools support for storing Net namingAD Users and ComputersOracle DB Configuration Assistant, Net Configuration Assistant and Net Manager
6 Database Registration and Name Resolution Client OSServer OSADOIDCommentsWindowsYesAnyTools for registering Net Service in AD must be run on WindowsLinux/UnixNoAD Integration solutions can help
7 Database Registration and Name Resolution Configuration/Administration 1 – Ensure that Administrator can modify Schema in Active Directory2 – Register Schema using NetCA5 - Configure Directory Naming and Directory Usage (AD) using NetCAWindowsEnvironment3 - Create Naming Context using NetCAClientSystemsActiveDirectory4 - Register database in AD using DBCA or Net ManagerRepository of Database Names and Connect Descriptors
8 Database Registration and Name Resolution Run-time Repository of Database Names and Connect DescriptorsActiveDirectory3 - Retrieves Connect Descriptor1 – User signs on to DesktopOracle Database4 - Connect to Database using Connect Descriptor2 – User issuesConnect Request(Any Platform)
9 Database Registration and Name Resolution Demo Environment Machine Name: xpclient.adnet.dev User: oracle Database Server: orclMachine Name: w2k3s.adnet.dev Domain: adnet.devWindows Server EE SP1(Domain Controller)Windows XP SP2Tools installedSupport Tools (under Support directory on CD) -- ADSI Edit is part of itAdmin Tools (under i386 directory on CD) -- AD users & computers, etc (These are available on Windows 2003 media,)
10 Database Registration and Name Resolution D E M O N S T R A T I O NDatabase Registration and Name Resolution
11 Database Registration and Name Resolution Summary Ensure that Administrator can modify Schema in Active DirectoryRegister Schema using NetCA (one time for the entire AD forest)Create Naming Context using NetCA (once per domain)Register Database in AD using DBCA or Net ManagerConfigure Directory Naming and Directory Usage (AD) using NetCA (on systems that want to use AD)Set NAMES.LDAP_AUTHENTICATE_BIND=Yes in SQLNET.ORA on all 11g client systemsTo support pre-11g clientsEnable anonymous bind in ADChange ACLs for Oracle Naming Context and Database/Net Services objects to allow anonymous accessPlease refer to the white paper Configuring Microsoft Active Directory for Net Naming for detailed information
13 Single Sign-On Authentication Client OS Server OS Comments Windows Native AuthenticationWindowsIncluded and configured in all db editionsMS KDC is used implicitlyUses External Users mechanismEnterprise User Security not supportedDirect support of Windows group membership for role authorizationKerberosAnyEE and ASO option neededMS KDC is supportedUses External Users mechanism (by default)Enterprise User Security supportedEUS and AD integration solutions needed to support authorization through Windows group membership
14 Windows Native Authentication Basics All of this is preconfigured; We use it internallyORA_DBA: All members get SYSDBA privilegesORA_OPER: all members get SYSOPER privilegesORA_ORCL_DBA: … get SYSDBA on ORCL onlyFor any other Windows user, an external user needs to be created in Oracle DBcreate user “Sales\frank” identified externally;Windows groups can be used to assign roles (if os_roles is true)create role sales identified externally;Corresponding Windows group for a database with SID orcl: ORA_orcl_sales_d if this should be a default roleIf Oracle Administration Assistant is used, it makes appropriate changes in AD and Database
15 Windows Native Authentication Enabled by default and can work across systemsWindows user logon credentials used for database authenticationAuthentication protocol (Kerberos or NTLM) negotiated based on OS and Domain ControllerAuthorization can be granted through Windows group membershipPre-defined Windows groups for DBAs and OperatorsUses Oracle External Users and External Roles mechanismsOracle Administration Assistant can be used to manage user authentication and role authorizationThis feature is completely independent of Database Registration and Name Resolution feature
16 Windows Native Authentication 1 - User signs on to desktopActive Directory/KDC3 – Negotiate security protocol and exchange security tokens2 - User attemptsto sign on to Oracle5 – Find Windows Group memberships (if os_roles is true)4 - Identify as a specific External User6 – Assign roles based on database roles or group memberships (based on os_roles)
17 Windows Native Authentication Configuration Set os_authent_prefix to “” (null) in init.oraBy default it is set to OPS$ (for backward compatibility)Ensure that sqlnet.authentication_services is set to NTS in sqlnet.ora (default set up)DO NOT:Set remote_os_authent in init.ora (default value false is correct).Set os_auth_prefix_domain in Registry (default value true is correct)Set os_roles to true in init.ora if you want to use Windows Group Membership for role authorization
18 Windows Native Authentication D E M O N S T R A T I O NWindows Native Authentication
19 Kerberos Authentication Integrated with Microsoft Key Distribution Center (MSKDC)Supports heterogeneous systemsA Windows client can connect to a non-Windows server and vice versaUses External User mechanisms in DatabaseCan also be supported with Enterprise User SecurityEE and ASO (Advanced Security Option) feature
20 Kerberos Enhancements in 11g Stronger encryption algorithms (DES3, AES, RC4)Support default encryption type supported by MS KDCEncryption type configuration no longer needed in RegistryUse DNS Domain Name as Kerberos REALM name by defaultMapping between DNS Domain Name and Kerberos REALM name longer needed in kerberos config fileKerberos authentication to Oracle database in a MS cross-domain setupRemoval of 30 character limit on the Kerberos user name
21 Kerberos Authentication Configuration Create Kerberos and sqlnet configuration files on clients and severs using Oracle Net ManagerCreate users in Active Directory for Client and Database Server (for non-windows clients or servers)Use ktpass utility to create keytab file and copy to DB server nodeObtain an initial ticket for the kerberos userSet os_authent_prefix to “” in init.oraDO NOT:Set remote_os_authent in init.ora. (default value FALSE is correct)
22 Kerberos Authentication MS KDCUser signs on to desktopUser attemptsto sign on to OracleDatabaseIdentify as a specific External User and assign database roles accordinglyExample:SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY ASSQL> Grant connect, resource to KRBUSER;
24 Security Integration for .NET Applications OS Authenticated Connection Pool in Oracle Data Provider for .NETSupport pooling of OS authenticated users using Windows identityASP.NET Membership and Role ProviderValidate and manage user and authorization information for your ASP.NET web applications in Oracle Database
25 Oracle Virtual Directory: Centralize DB User Account Management
26 Audience Questions How many have user accounts in AD? Sun? OID? How many have databases on an OS besides Windows?How many can provide your CIO with an audit report verifying DBA and DB user access?How many can disable DBA access by disabling a password in a single repository ?Ask for any questions
27 Centralize Oracle Database Account Management Organizations have many databases on variety of platformsOrganization have implemented enterprise directory servicesOracle Enterprise User Security is all about how to centralize database account managementOracle Enterprise User Security allows to externalize database accounts and roles to an LDAP serverOracle Virtual Directory allows EUS to work with 3rd party directories, not just OID
28 Oracle Virtual Directory Overview Oracle Virtual Directory lets organizations rapidly deploy applications by providing a unified view of identity without synchronization.
29 Case Study – MKB Bank (Hungary) Database Security Business ChallengesBuilt Database Warehouse for reportingWanted to leverage Active Directory & existing provisioning to manage credentials and role membershipDid not want to synchronize to another directoryOracle SolutionReturn On InvestmentEnterprise User Security & OVDOVD connects to ADEUS allows employees to use Windows password and existing provisioning system to manage accessAllowed to rapidly deploy secure access to Database warehouseDid not need to bring up yet another directory service just to manage database accountsEliminated help desk callsStory Line:MKB needed to provide secure access to their data warehouse application. They decided to use Enterprise User Security and used OVD to map EUS accounts to data in their Active Directory domains. This sped up their deployment and eliminated need to synchronize data to another directory or databases.
30 Summary EUS centralizes database account management into a directory EUS works across heterogeneous operating systemsOVD enables EUS to work with 3rd party directories without synchronization
31 For More Information Windows Server System Center Oracle Net Services (AD White Paper and more).NET Developer Center (ASP.NET Providers)Oracle Virtual Directory (OVD)My
Your consent to our cookies if you continue to use this website.