ODP.NET + Kerberos

user13364239

Hi!

We develop ASP.NET MVC portal that interacts with Oracle 12c using ODP.NET 12.2.1100 managed driver. According to the documentation, we configured the database connection using Kerberos. Everything works well, but only for a part of Active Directory users while the other part gets the ora-12631 error. Numerous experiments on problem users have shown that they are all included in a large number of Active Directory security groups, and if the problem user is excluded from certain Active Directory groups, the connection to the database via Kerberos passes without problems. It was found that the Kerberos token for problem users has a larger size in relation to other users. The Kerberos token is passed from the client to the web server (IIS in our case) in the http header. Accordingly, we maximized the value of the MaxTokenSize parameter on the client and on the server, but this did not help. On the server, we increased the values of the MaxFieldLength and MaxRequestBytes parameters to the maximum, but this did not help. We completely disabled the antivirus SOFTWARE on both the client and server, but it didn't help.

In accordance with all of the above, can ODP.NET or MIT Kerberos 4.0.1 have restrictions on the size of the Kerberos token or the size of the http request header? Maybe there are restrictions on the database side?

Alex Keh-Oracle

The one main restriction managed ODP.NET has in a Kerberos scenario vs. unmanaged is that managed doesn't support constrained delegation. A possible related bug is 24810947 - KERBEROS INITIAL HANDSHAKE FAILS IF "AUTHENTICATOR" IS GREATER THAN SDU SIZE. This bug affects ODP.NET 12.2. You can try increasing the SDU size on the client and server or you can try upgrading your managed ODP.NET version to 18c or higher if this the bug you hit.

Those are my best guesses. If this is a new bug, then it's impossible to resolve until Oracle provides you a bug fix. And if a bug fix is needed, Oracle must be able to have some diagnostic info to resolve what code fix is necessary.

Alex Keh-Oracle

I would recommend opening up an Oracle Support service request as this sounds like a bug or at least a deeper level of investigation beyond ODP.NET itself into some of the Oracle networking and security code. It will require sharing your security configuration details, which obviously a public forum is not a great place for that.

user13364239

Unfortunately, we can't open up an Oracle Support service request at this moment. So we continued our investigation. We created two ASP.NET MVC portals. The first portal uses ODP.NET 12.2.1100 managed driver. The second portal uses ODP.NET 12.2.1100 unmanaged driver. When a problem user enters the first portal, they still get the ora-12631 error. When a problem user enters the second portal, no errors occur.

     Can you comment on what this behavior is related to? Can there be an error in ODP.NET 12.2.1100 managed driver?

Alex Keh-Oracle

The one main restriction managed ODP.NET has in a Kerberos scenario vs. unmanaged is that managed doesn't support constrained delegation. A possible related bug is 24810947 - KERBEROS INITIAL HANDSHAKE FAILS IF "AUTHENTICATOR" IS GREATER THAN SDU SIZE. This bug affects ODP.NET 12.2. You can try increasing the SDU size on the client and server or you can try upgrading your managed ODP.NET version to 18c or higher if this the bug you hit.

Those are my best guesses. If this is a new bug, then it's impossible to resolve until Oracle provides you a bug fix. And if a bug fix is needed, Oracle must be able to have some diagnostic info to resolve what code fix is necessary.

user13364239

Alex, thank you very much! The problem was solved by increasing the size of the SDU on the client and server.