Actually, we’re on Solaris x86.
My teammate Balazs Berki documented the solutions for the issues we had hit
when setting up the Kerberos AD authentication with Oracle databases in the
following blog post:
http://balazsberki.com/2016/08/oracle-single-sign-on-with-kerberos-pitfalls/ ;.
And yes, we got it working.
The feature has proven to be invaluable in an Oracle shop like ours with
hundreds of database which get duplicated around, 30-days password expiry
policies and many people connecting to them with developer tools.
Nenad
http://nenadnoveljic.com/blog/
From: Jeff Chirco [mailto:backseatdba@xxxxxxxxx]
Sent: Donnerstag, 1. Februar 2018 16:25
To: Noveljic Nenad; ORACLE-L
Subject: Re: Question about single-sign-on products
Hi Noveljic, wow did you get AD authentication to work? Do you have notes you
could share. Also is your DB server on Windows or Linux?
Thanks
On Thu, Feb 1, 2018 at 6:34 AM, Noveljic Nenad
<nenad.noveljic@xxxxxxxxxxxx<mailto:nenad.noveljic@xxxxxxxxxxxx>> wrote:
I can confirm that the Kerberos authentication with Active Directory is working
smoothly. Though we had hit some issues when setting it up initially that were
resolved by installing some additional Oracle patches. Our main goal was to get
rid of the cumbersome database password authentication for developers. The
upside is that you don’t need any additional Oracle products to that. On the
downside, the roles still have to be managed within each individual database
separately.
Nenad
http://nenadnoveljic.com/blog/
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On
Behalf Of Niall Litchfield
Sent: Donnerstag, 1. Februar 2018 10:29
To: Charles Schultz
Cc: ORACLE-L
Subject: Re: Question about single-sign-on products
We are in the process of implementing Enterprise User
Security<https://docs.oracle.com/database/121/DBIMI/toc.htm> where the
authentication is done via the Kerberos tickets you get at windows logon. That
requires a purchase of Directory Services Plus licenses (if you don't already
have them or OID licenses). It no longer requires the advanced security option
though. Engineering the solution was relatively straightforward once you get
your head around the moving parts. The biggest challenge is the need to
understand the new security model and to determine the best roles and groups
etc for your users. It would also be possible to merely use Kerberos or SSL
authentication as strong
authentication<https://docs.oracle.com/database/121/DBSEG/strong_auth.htm#DBSEG491>
(and SSO) for your individual database users.
On Wed, Jan 31, 2018 at 7:14 PM, Charles Schultz
<sacrophyte@xxxxxxxxx<mailto:sacrophyte@xxxxxxxxx>> wrote:
Good day,
Just putting out feelers to see what experiences folks have had with various
single-sign-on packages. We have a mix of Oracle and MS SQL Server, and use
Active Directory a bit for the MS stuff.
Thanks in advance,
--
Charles Schultz
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
____________________________________________________
Please consider the environment before printing this e-mail.
Bitte denken Sie an die Umwelt, bevor Sie dieses E-Mail drucken.
Important Notice
This message is intended only for the individual named. It may contain
confidential or privileged information. If you are not the named addressee you
should in particular not disseminate, distribute, modify or copy this e-mail.
Please notify the sender immediately by e-mail, if you have received this
message by mistake and delete it from your system.
E-mail transmission may not be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete. Also
processing of incoming e-mails cannot be guaranteed. All liability of the
Vontobel Group and its affiliates for any damages resulting from e-mail use is
excluded. You are advised that urgent and time sensitive messages should not be
sent by e-mail and if verification is required please request a printed version.
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">p { font-family: Arial;font-size:9pt }</style>
</head>
<body>
<p>
<br>Important Notice</br>
<br>This message is intended only for the individual named. It may contain
confidential or privileged information. If you are not the named addressee you
should in particular not disseminate, distribute, modify or copy this e-mail.
Please notify the sender immediately by e-mail, if you have received this
message by mistake and delete it from your system.</br>
<br>E-mail transmission may not be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete. Also
processing of incoming e-mails cannot be guaranteed. All liability of the
Vontobel Group and its affiliates for any damages resulting from e-mail use is
excluded. You are advised that urgent and time sensitive messages should not be
sent by e-mail and if verification is required please request a printed
version.<br/>
</p>
</body>
</html>