I am trying to setup Kerberos authentication for my Oracle database and I have a situation where I need to maintain different versions of sqlnet.ora for each kerberos user connection. My application is using OCI driver (a single unix process does more than one user connection to the same Oracle database). And I am not able switch sqlnet.ora between user connections using setenv(TNS_ADMIN) call programmatically. I am assuming once the contents of sqlnet.ora gets loaded to process, it remains unchanged for the rest of its life.
Is my case a practical one, has anyone encountered?
When it comes to kerberos, I am not sure why Oracle client restricts the sqlnet.ora to one principal kerberos user. Maybe Oracle does not have a clean support for kerberos as I dont see OCI API's?
Thanks
Srivatsan
Related
I have a database Connection established in odbcad and Microsoft Access (aswell as working in Excel) via ODBC and want to also get it working in Oracle SQL developer.
It is a Windows SQL Server as far as i know and I have tried several Settings, of which None works. I have also installed Driver for ODBC. I would like to Import Settings into SQL developer as applied in MS Access, is there any possibility?
No, SQL Developer is a Java application and uses a JDBC driver.
But if you look at the odbc properties for your connection, those should largely translate to what you need to define a basic connection.
Oracle:
Server name or IP address of the DB, port # for the listener, and the name of the SID or Service, plus a valid username and password is all you need to connect to Oracle.
What error do you get when you try to connect?
Show us what you're trying.
Update:
You're trying to connect to SQL Server but you're getting"
Native SSPI library not loaded
You're trying to use OS Authentication for your connection. For this to work with the jTDS driver, you need to copy a DLL file named ntlmauth.dll (which is for NT authentication) under the jtds-x.x.x-dist\x86\SSO\ or jtds-x.x.x-dist\x64\SSO\, to any directories in the PATH environment.
Please update your question such that's it's clear you're connecting to SQL Server and share the error message so others can find it.
I imagine this question is a duplicate of many previous iterations of the same challenge.
We have a large SSIS solution with many connection managers pointing to Oracle. Provider is ODBC, data sources are set to defined system DSNs. So far we use user names and passwords and everything works fine. Now we want to switch to Kerberos authentication.
I can already successfully query the Oracle database using sqlplus with Windows authentication.
I'm having hard time achieving the same from SSIS using ODBC connection managers.
Is it possible to reconfigure the ODBC connection managers so they will use Windows authentication? How should be the connection manager configured?
The question is specifically about ODBC, please avoid answers like "use Attunity".
We use MS SQL Server 2016 Enterprise edition, Oracle 12.2.
I finally made it working, hope it helps someone.
I created a new DSN
as User ID I put [OracleUserName]
beware the square brackets! Those are necessary
the OracleUserName is user name configured on Oracle side (I do not know much about Oracle). The DBA configured the AD account to be able to login as this user.
I have set up an externally identified user for our Oracle 10g (10.2.0.3) database like this:
CREATE USER "OPS$DOMAIN\USER" IDENTIFIED EXTERNALLY;
Now I am trying to connect from a 10.2.0.1 sqlplus client using
connect /#TNS_NAME;
however I get
Invalid username/password.
[Edited]
Here is all the information I can currently give on this issue:
There are two virtualized Windows 2003 Servers, each running their own Oracle 10.2.0.3 database
There are two virtualized Windows XP Clients with the Oracle Client 10.2.0.1
All four machines are on the same virtual host and within the same domain
The same user is used to log in on both clients
Client 1 can use OS authentication to connect to Server 1
Client 1 cannot connect to Server 2 with OS authentication
Client 2 cannot connect to either database server with OS authentication
Both Clients can connect to either database server with schema owner/password
Four months ago, Client 2 could connect to Client 2 with OS authentication. I cannot tell if Client1->Server2 and Client2->Server1 worked, but I am almost certain it did.
Things I have considered:
I double checked the os_authent_prefix, which is "OPS$"
I tried recreating the user, and made sure everything was written in caps (we had problems in the past when we didn't have all caps)
I tried granting the create session privilege (someone suggested that somewhere; didn't help)
What could I be missing / What else could I try?
PS: Database security is not a concern here; I know OS Authentication is kind of insecure.
Since the problem is happening at the client can you please check the below parameter in sqlnet.ora file in the client machine
SQLNET.AUTHENTICATION_SERVICES= (NTS)
Even after that it does not work you can refer this article on os-authentication to check if any step is missing
I have a legacy application, which connects to the configured Oracle database.
It seems it has some logic that alters the database credentials as it is unable to successfully log in to the Oracle database, while sqlplus started on the same machine is able to log in.
The error I am getting is: [DataDirect][ODBC Oracle Wire Protocol driver][Oracle]ORA-01017: invalid username/password; logon denied
How to find out what is the database username and password that are sent to the database?
What I have tried so far:
Enabled auditing of failed sign-on attempts on Oracle (audit create session whenever not successful). It does not solve the issue, because it only logs the username, which seems to be correct, without the password.
Used a sniffer to eavesdrop the network traffic between the machine running the application and the database, but since Oracle's TNS protocol is encrypted, it did not help a lot.
Started a server using netcat on port X, provided port X in the application configuration file. The application did connect to my server, that is how I know the application is connecting to the correct server. But since the TNS protocol is pretty complex (requires a series of messages to be exchanged between the client and the server) I hope there is a simpler why of achiving what I want without having to reverse engineer Oracle and implementing my own server.
Enabled tracing of the JDBC driver (Trace=1, TraceFile, TraceDll). The trace file shows the correct username, but obviously the password is not getting logged.
My environment:
Database: Oracle 11g
Application runs on: Solaris
Application uses: DataDirect ODBC Oracle Wire Protocol v70
I not sure, but if connection established by ODBC driver (as described in question tags) then you can try ODBC sniffing tools like ODBC Tracing.
Citation:
Password "Sniffing" Using Trace
ODBC provides a means for tracing the conversation taking place between the driver and the host database. Used by developers for testing purposes, the tracing feature is designed to help programmers find out exactly what is going on and to help fix problems. However, tracing (also called "sniffing") can be used by nefarious bad guys to retrieve user passwords.
When tracing is enabled, communications with the host are written to a file. This includes the user ID and password, which are captured in plain text.
Update
SQLPlus connects to Oracle with OCI interface, but DataDirect ODBC driver uses it's own proprietary implementation of communication protocol. So, most probable point of failure is driver misconfiguration or incompatibility.
DataDirect provides some tools for ODBC drivers diagnostics, but only option applicable to case described in question is using snoop utility, which acts like a netcat which already tried.
Because connection failed at credential verification stage, the most probable source of error is using localized symbols for user name or password. There are some issues with Oracle authentication process, listed in DataDirect Knowledge Search (search for ORA-01017).
It seems that DataDirect provides two separate version of driver with and without Unicode support, therefore one of possible points of failure is to connecting with non-Unicode version of driver to Unicode version of database and vice verse.
P.S. For now I don't have any experience with DataDirect ODBC driver. So it's only suggestions about possible source of failure.
We are trying to shape up an old, 2 tier, Delphi based application. It originally uses database authentication, we'd like to transform the db user accounts to global users, so an OID server could perform the authentication instead of the database.
The Delphi program can no longer log into the database if the account is a global user. I'm trying to understand the login protocol, so far without results.
Similar thing happens with SQLDeveloper, I can't connect as a global user. SQLPlus however works with both kinds of users. We checked the information flow with Wireshark. When the dbserver asks back for a password, the SQLPlus sends it, while the SQLDeveloper doesn't send a password when attempting to connect as a global user.
The client sends the application name too in the login request. Is it possible that we have to store the client app name in the LDAP itself?
To connect to Oracle using OID, application must properly configure OCI (Oracle Call Interface). The data access components (which one ?), you are using, must set OCI_ATTR_DISTINGUISHED_NAME session attribute. If that is not done, then you will be not able to connect to Oracle server using ODI and OCI.
You should check your components documentation for this feature. And if it is not implemented, then discuss this issue with the components vendor. Actually, there is not much work to implement, but some work to setup testing environment is required ...