Yes, my aim is to Not used Advanced Security Allow users to use NTS authentication Allow some users (developers and DBAs) the choice of NTS or database userids Not grant anyone more access to the DBMS host OS than they really need Thanks Martin -------------------------------------------- Martin Herbener 502 564 2020 ext 254 Office of Education Technology Kentucky Department of Education From: Niall Litchfield [mailto:niall.litchfield@xxxxxxxxx] Sent: Thursday, April 01, 2010 4:46 AM To: Herbener, Martin - KETS Engineering and Management Cc: Jared Still; oracle-l@xxxxxxxxxxxxx Subject: Re: User permissions/rights on DBMS host when using NTS Hmm, I'll agree that I've not observed this likely for the reason you mention. My memory was that essentially all nts authentication did was to verify that the account issuing the request had a valid domain authentication token (i.e. not to the server).It maybe of course that by excluding the Domain Users group - you'd have to do that explicitly as you say - then you are signalling to the server not to accept standard authentication tokens from the domain. In such a case I'd *hope* that the creation of an "Oracle Users" group on the domain should allow users in that group to successfully authenticate. I'm assuming that the aim here is not to allow everyone access to the db, to use windows authentication, and to avoid the expense of advanced security? Again I'd be hopeful that that was possible, but would suspect that alternatives would be easier. Niall Litchfield http://www.orawin.info/ On Wed, Mar 31, 2010 at 5:15 PM, Herbener, Martin - KETS Engineering and Management <Martin.Herbener@xxxxxxxxxxxxxxxx> wrote: The issue is that users apparently cannot connect to a 10.2.0.4 database instance (on Windows 2003) with native database userid/password if the following are all TRUE 1) Client version does not exactly match database version (for instance, client is 10.2.0.1), AND 2) NTS is enabled in SQLNET.ORA, AND 3) User's Active Directory account is not in the "Users" group on the DBMS host Failure usually comes with a ORA-12631 error. I think many people would not observe this because, by default, a Windows server's local "Users" group contains the domain "Domain Users" group. I guess I am looking for others to validate or refute my theory. Thanks Martin -------------------------------------------- Martin Herbener 502 564 2020 ext 254 Office of Education Technology Kentucky Department of Education From: Jared Still [mailto:jkstill@xxxxxxxxx] Sent: Wednesday, March 31, 2010 11:57 AM To: Herbener, Martin - KETS Engineering and Management Cc: oracle-l@xxxxxxxxxxxxx Subject: Re: User permissions/rights on DBMS host when using NTS On Wed, Mar 31, 2010 at 7:28 AM, Herbener, Martin - KETS Engineering and Management <Martin.Herbener@xxxxxxxxxxxxxxxx> wrote: Those of you using NTS (Windows OS authentication) - have you found that the end users' Windows accounts need some level of permissions/user rights on the DBMS host? Perhaps if you explained the issue you are experiencing someone here can help. OS authentication does not require any rights on the server if the authentication is network based - AD, Kerboros, ... If the authentication must actually take place on the server, then a user account will be needed, at least it works that way on linux/unix. So the answer is "It depends" :) Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist Oracle Blog: http://jkstill.blogspot.com <http://jkstill.blogspot.com/> Home Page: http://jaredstill.com <http://jaredstill.com/> -- Niall Litchfield Oracle DBA http://www.orawin.info