Forum Stats

  • 3,838,671 Users
  • 2,262,392 Discussions
  • 7,900,730 Comments

Discussions

Categories

Kerberos Authent ends in various errors

mpatzwahl
mpatzwahl Member Posts: 284 Bronze Badge
in Database Security - General

Hello,

i would like to authent my users with Kerberos (MS AD).

I found differnt blkogs which explains how to do this task. But none work for me.

My Version Oracle 19.x EE

my sqlnet.ora:

SQLNET.KERBEROS5_CONF=c:\temp\krb5.conf

SQLNET.KERBEROS5_KEYTAB=C:\temp\krb5.keytab

#SQLNET.KERBEROS5_CC_NAME=MSLSA:

#SQLNET.KERBEROS5_CC_NAME=OSMSFT

sqlnet.kerberos5_cc_name=C:\temp\krbcc

SQLNET.KERBEROS5_CONF_MIT=true

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle

#SQLNET.AUTHENTICATION_SERVICES= (NTS)

SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5PRE,KERBEROS5)

SQLNET.FALLBACK_AUTHENTICATION=TRUE

DIAG_ADR_ENABLED = OFF

TRACE_DIRECTORY_OKINIT = c:\temp

TRACE_FILE_OKINIT = okinit.txt

TRACE_LEVEL_OKINIT = SUPPORT

TRACE_LEVEL_CLIENT=16

TRACE_DIRECTORY_CLIENT=c:\temp

TRACE_UNIQUE_CLIENT=on

TRACE_FILE_CLIENT=kerb_client

on der AD Server i did a

ktpass.exe -princ oracle/[email protected] `

   -mapuser dbserver`

   -crypto all `

   -ptype KRB5_NT_PRINCIPAL `

   -pass mypass `

   -out 'C:\temp\krb5.keytab'

i copied the krb5.keytab to the win server

my krb5.conf

[libdefaults]

default_realm = AD.MYDOMAIN.DE

[realms]

AD.MUNIQSOFT-TRAINING.DE = {

kdc = BERYLLIUM.AD.MYDOMAIN.DE

}

[domain_realm]

.ad.mydomain.de = AD.MYDOMAIN.DE

ad.mydomaing.de = AD.MYDOMAIN.DE

okinit seems ok:

okinit

Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 07-JUL-2020 08:38:18

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : c:\temp\krb5.conf.

Password for [email protected]_DOMAIN.DE:

c:\oracle>sqlplus /

SQL*Plus: Release 19.0.0.0.0 - Production on Di Jul 7 08:38:30 2020

Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

ERROR:

ORA-12641: Authentication Service konnt nicht initialisiert werden.

Benutzernamen eingeben:

Does anybody uses this feature in Production ?

A normal database connect with user/pwd does not work also , so what is the sqlnet.ora Parameter SQLNET.FALLBACK_AUTHENTICATION=TRUE  for?

Benutzernamen eingeben: system/sys

ERROR:

ORA-12641: Authentication Service konnt nicht initialisiert werden.

Thanks

Marco

· Share on TwitterShare on Facebook