Kerberos Authentication to Oracle Database using Active Directory

Kerberos Authentication to Oracle Database using Active Directory
=================================================================

This guide provides step-by-step instructions to configure Kerberos-based authentication using Active Directory for Oracle databases, including all relevant OS, Oracle, and network settings for successful authentication between Windows clients and Oracle Database on Linux.

Environment Overview
--------------------
Database Server:
- OS: Oracle Linux Server release 7.9
- Oracle Version: 19.28.0.0.0
- PDB Name: APPPDB
- Hostname: dbserver01.example.com
- Keytab Path: $ORACLE_HOME/network/admin/oracle.keytab

Active Directory:
- Realm: EXAMPLE.COM
- AD Domain Controller: dc01.example.com
- Oracle AD Service Account: svc_oracle_kerberos

Client Workstation:
- OS: Windows 11 Enterprise
- Kerberos Implementation: MIT Kerberos for Windows
- AD Username: dbuser1@EXAMPLE.COM

SECTION 1: Active Directory Configuration
-----------------------------------------
1. AD Administrator generates the keytab using the following command:

    ktpass -princ oracle/dbserver01.example.com@EXAMPLE.COM \
           -pass <password> \
           -mapuser svc_oracle_kerberos \
           -crypto ALL \
           -ptype KRB5_NT_PRINCIPAL \
           -out C:\temp\oracle.keytab

2. The keytab file (oracle.keytab) is transferred securely to the Oracle DBA.

SECTION 2: Oracle Database Server Setup (Linux)
-----------------------------------------------
1. Copy the keytab file to the database server:
   $ORACLE_HOME/network/admin/oracle.keytab

2. Modify sqlnet.ora on the database server:

    SQLNET.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5)
    SQLNET.FALLBACK_AUTHENTICATION = TRUE
    SQLNET.KERBEROS5_CONF = $ORACLE_HOME/network/admin/krb5.conf
    SQLNET.KERBEROS5_CONF_MIT = TRUE
    SQLNET.KERBEROS5_CLOCKSKEW = 6000
    SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc_500
    SQLNET.KERBEROS5_KEYTAB = $ORACLE_HOME/network/admin/oracle.keytab
    SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle

3. Create the krb5.conf file at $ORACLE_HOME/network/admin/krb5.conf:

    [libdefaults]
        default_realm = EXAMPLE.COM
        clockskew = 6000
        forwardable = true
        renew_lifetime = 7d
        rdns = false
        ticket_lifetime = 24h
        udp_preference_limit = 1

    [realms]
        EXAMPLE.COM = {
            kdc = dc01.example.com:88
        }

    [domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

4. Validate Kerberos ticket on Linux:

    okinit dbuser1@EXAMPLE.COM
    oklist

SECTION 3: Windows Client Workstation Setup
-------------------------------------------
1. Install MIT Kerberos for Windows (latest version). Select the full installation option.

2. Create krb5.ini at:
   C:\ProgramData\MIT\Kerberos5\krb5.ini

    [libdefaults]
        default_realm = EXAMPLE.COM
        clockskew = 6000
        noaddresses = true
        forwardable = yes

    [realms]
        EXAMPLE.COM = {
            kdc = dc01.example.com:88
        }

    [domain_realm]
        EXAMPLE.COM = EXAMPLE.COM
        .EXAMPLE.COM = EXAMPLE.COM
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

3. Initialize Kerberos ticket:

    set KRB5CCNAME=FILE:C:\Temp\krb5cc_dbuser1
    kinit dbuser1@EXAMPLE.COM
    "C:\Program Files\MIT\Kerberos\bin\klist.exe"

4. Modify sqlnet.ora in the Oracle client directory
   (<ORACLE_CLIENT_HOME>/network/admin):

    SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5)
    SQLNET.KERBEROS5_CONF = C:\ProgramData\MIT\Kerberos5\krb5.ini
    SQLNET.KERBEROS5_CC_NAME = C:\Temp\krb5cc_dbuser1
    SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle

5. Update tnsnames.ora:

    APPPDB =
      (DESCRIPTION =
        (ADDRESS = (PROTOCOL = TCP)(HOST = dbserver01.example.com)(PORT = 1521))
        (CONNECT_DATA =
          (SERVER = DEDICATED)
          (SERVICE_NAME = apppdb)
        )
      )

6. Set OS authentication prefix to blank in the CDB:

    ALTER SYSTEM SET os_authent_prefix='' SCOPE=spfile;

7. Restart the database instance.

SECTION 4: Test Kerberos Authentication
---------------------------------------
From the Windows client:

    sqlplus /@APPPDB

You should be logged in automatically using your Active Directory credentials without being prompted for a password.

TROUBLESHOOTING TIPS
--------------------
- Use klist on Windows to verify the Kerberos ticket.
- Ensure krb5.ini and krb5.conf files match exactly.
- Check Oracle Net trace files for authentication errors.
- Use oklist on Linux to inspect tickets during server-side testing.

Comments

Post a Comment

Popular posts from this blog

Grid Infrastructure network issue on ODA X5-2

I ran into a situation where client I had supported was having network timeouts and a huge amount of packet drops on their network when trying to connect to their ODA from the application stack.  After many hours (2 days to be exact) of troubleshooting, it was discovered that there was an issue with the Grid Infrastructure network configuration vs what the client's network was configured with. The client's default gateway was set to 10.10.10.1 . However when looking at their network configuration set in the GI, it reflected 10.10.0.0 as this is what Oracle was expecting it to be based off of ipcalc. ipcalc -bnm 10.10.40.42 255.255.0.0 NETMASK=255.255.0.0 BROADCAST=10.10.255.255 NETWORK= 10.10.0.0 ################ [root@oraprd1 .ssh]# oifcfg getif ibbond0  192.168.16.0  global  cluster_interconnect,asm bond0  10.10.0.0  global  public ################ # srvctl config network Network 1 exists Subnet IPv4: 10.10.0.0 /255.255.0.0...
Read more

Upgrade from 11gR2 RAC to 12cR1 RAC using cloning methodology

12.1.0.2 Grid Infrastructure Upgrade: From 11.2.0.4 To 12.1.0.2 Using GI Clone I used the following methodology to upgrade from 11.2.0.4 to 12.1.0.2 RAC.  This is particularly useful from a time perspective to avoid having to do a separate patching when it comes to applying bundle patches (Exadata) or PSUs.  I tested this process in my non-production environment and highly advise you to do the same to ensure the process is seamless. A) Prepare SOURCE GI home (In this case it is 12.1.0.2) to be cloned: ******************************** Follow documentation for "Preparing the Oracle Grid Infrastructure Home for Cloning" at https://docs.oracle.com/database/121/CWADD/clonecluster.htm#CWADD92116 Oracle® Clusterware Administration and Deployment Guide 12c Release 1 (12.1) Part Number E16794-16 ******************************** A01) Stop all databases via srvctl (run by oracle) srvctl stop database -d {db_unique_name} A02) Stop CRS (run by root) export ORACLE_HO...
Read more

ORA-17630: Mismatch in the remote file protocol version client 2 server 3

I was trying to create an Oracle Data Guard environment (physical standby) from an Oracle database running version 12.1.0.2. The database was running an older PSU version ("Database Patch Set Update : 12.1.0.2.161018 (24006101)") to be specific. Upon trying to build the standby by using RMAN DUPLICATE with ACTIVE DATABASE, I ran into the below error: executing Memory Script Starting backup at 16-JUL-18 RMAN-03009: failure of backup command on prm1 channel at 07/16/2018 13:51:46 ORA-17629: Cannot connect to the remote database server ORA-17630: Mismatch in the remote file protocol version client 2 server 3 continuing other job steps, job failed will not be re-run released channel: prm1 released channel: prm2 released channel: prm3 released channel: prm4 released channel: prm5 released channel: stb1 RMAN-00571: =========================================================== RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS =============== RMAN-00571: ====================...
Read more