I have the following:
Oracle Database 12.1.0.2.10 EE on Windows Server 2012. Oracle Services runs as
a domain user in a Windows 2008 domain.
On the client Windows Server (app-server in the same domain) runs an
application via terminal services. This uses Oracle 11.2 64-bit client.
Sqlnet.ora in both ends has SQLNET.AUTHENTICATION_SERVICES=(NTS) in them.
Users are in the database as identified externally.
Under normal circumstances (when they are logged on to the server using
terminal services), this works great. Osuser shows up in v$session as expected.
Users log in equivalent to sqlplus /@db.
But the application has a mode, where a app-client connects to the app-server
using a private protocol. On the app-server it Windows-impersonates the
end-user.
In this case native Windows Authentication fails. If you log in authenticated
by database, then osuser in v$session is ANONYMOUS LOGON.
This I could understand, if the authentication protocol was NTLM (which does
not support impersonation). But, I think the authentication protocol should be
Kerberos, especially since according to the Windows Platform Guide:
"Starting with Oracle Database 12c Release 1 (12.1), the NTS authentication
adapter no longer supports the use of NTLM to authenticate Windows domain
users. Thus the NTS cannot be used to authenticate users in old Windows NT
domains or domains with old Windows NT domain controllers. However, local
connections and Oracle Database services running as a Windows Local User
continues to be authenticated using NTLM."
If I run a homemade-program to print the fields of
System.Security.Principal.WindowsIdentity they look exactly the same in working
and non-working cases:
User name: DOMAINXX\yyy
Authentication type: Kerberos
IsAuthenticated: True
IsSystem: False
Owner: S-1-5-21-2031436270-1089497111-1341851473-23095
User: S-1-5-21-2031436270-1089497111-1341851473-23095
RoleClaimType: http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
NameClaimType: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
IsGuest: False
IsAnonymous: False
Label:
ImpersonationLevel: None
Is my thinking off? Any thoughts?
Regards Niels
--
//www.freelists.org/webpage/oracle-l