External Authentication on Windows
Guys, this is driving me crazy.
I had an external user configured on my Oracle 9.2.0.5 database on a Windows 2003 Server.
It was working, I use it to make dump backups.
Now, without any change on any oracle param or bounce it just stoped working.
I have two instances, for one it's working, for the other it's not.
Both instances are on the same server (so I'm using the same sqlnet.ora file with NTS authentication).
Today I removed and recreate the user on both instances, but I keep getting the same problem.
create user "OPS$DOMAIN\ORABACKUP" identified externally
default tablespace users
temporary tablespace temp
The parameters are the same on both instances:
os_authent_prefix string OPS$
os_roles boolean FALSE
remote_login_passwordfile string EXCLUSIVE
remote_os_authent boolean FALSE
remote_os_roles boolean FALSE
Do you have any ideas of why this could happen??
Is there another parameter related to external authentication that I don't know?
Thanks!
Was there ever an answer on this, having problems with setup using same versions
Similar Messages
-
External Authentication with Server 2008 R2
Has anyone had success configuring External Authentication on Windows Server 2008 R2? We are using Hyperion Enterprise 6.5.1.
Thank you.Was there ever an answer on this, having problems with setup using same versions
-
Error while Configuring AD external authentication plug in
Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
ThanksDid you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf -
External authentication on Essbase 9.3.1
I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [getOSVersion]
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
If I point to the current CSS file used in production Essbase 7, I get the following message:
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [-1]
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
In either case everything except External Authentication on System9 for Essbase works.
Both shared services and Essbase are on the same 64-bit Windows box.
Any help in resolving this will be greatly appreciated.
Thanks,
Vikram.HI:
I recommand following these steps:
1. Go to the box where you have your Essbase installed
2. Pull up the Shared Services Configuration Utility
3. Select COmponent to be registered as Essbase
4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
5. Re-register Essbase with Shared services
6.Start essbase in Foreground
It shuld Start :) good Luck..let me know If this failed..
Thanks,
Sriram -
Oracle Virtual Directory vs. Oracle External Authentication Plug-in
I am working in Windows 2003 Server platform and I have Oracle Portal 10g R2 with Oracle Single Sign On 10g R2 setup. I also have Microsoft Active Directory setup. I want to use Microsoft Active Directory users from Oracle Portal and as per my understanding I could use Oracle External Authentication Plug-in or Oracle Virtual Directory for this purpose. I would like to use Oracle Virtual Directory if possible. Could someone please tell me if I could use Oracle Virtual Directory or not?
Thanks.Yeah, I could use Oracle External Authentication Plug-in, but I am having issues with running the oidspadi.sh script on my Windows 2003 server environment. I am running this script using Cygwin's latest software, but for some reason I get the following error message.
: command not found8:
: command not found8:
: command not found3:
: command not found7:
: command not found1:
: command not found8:
: command not found9:
: command not found0: clear
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
: command not found7:
: command not found0:
oidspadi.sh: line 103: syntax error near unexpected token 'fi'
'idspadi.sh: line 103:' fi
Therefore, I was trying to find an alternative solution, which will be using Virtual Directory. Right now, I have installed Oracle Virtual Directory on my testing system and I have both Active Directory server and OID server part of LDAP Browser. My goal is to using Oracle Portal to log-in and first look for the user in OID if not found then look in Active Directory. Can this be accomplished using Oracle Virtual Directory?
Please let me know. -
Invoking 'active directory external authentication plug-in' from login.jsp
Hi
I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
For this requirement, we have 'active directory external authentication plug-in' installed on server.
What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
kindly let me knowHi
I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
Then i serach using the user name in ldap directory.
NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate. -
Question on External Authentication Plug-in
I have 2 windows domains with no global catalog server. The documentation shows how to setup external authentication plug-in when you have just one domain. Can anyone provide a link on how to setup the plug-in when you have more than one domain? Thanks for your help.
Yes it is possible,
>i want to know if its possible or not in a very easy and efficiant way<
……well I think so, but one could argue about the „easy & efficient” part of it……..
Anyway here are a few possibilities:
https://help.apple.com/logicpro/mac/10/#lgcp215834c2
……don’t know of any trial possibilities………
Cheers! -
OID 10.1.4 and external authentication (AD)
Has anyone gotten this to work with MS Active Directory? We were able to sync the AD users with OID, but have not be able to authenticate them. As long as they have their passwords stored in OID, it works, but we do not want to maintain the password sync'ing between AD and OID. We want to do external authentication.
Anyone who has gotten this to work in 10.1.4 (using the java plugins), please respond with any secrets or methods you have used to get this to work.
Thank you.
ShirleyI got the java plugins working here. The configuration is not a big deal. I still not implemented SSL though, so I didnt had to issue certificates.
Configuration is easier than on version 10.1.2, as all the plugin parameters are available on oidadmin.
I have two problems that remain unfixed.
One is on AD. Since we have several domain controllers, when the user changes his password in Windows the change is done on whatever domain controller that the user connected to when logging on windows, and it sometimes takes a long time for this to be replicated to the domain controller that configured on the plugin. So the user cannot use SSO for a few hours. Sometimes he can logon with the old password, sometimes even with both passwords (the old and the new one). I want to make clear that this is a Microsoft AD problem, that reproduces even with simple tools like ldapbind.
The other is the plugin failover, it is still broken like it was on 10.1.2. Authentication attemps always try it the primary domain controller, and wait for a operating system timeout before trying the secondary. So if the PDC is down, it takes several minutes for the authentication process to complete, which is very annoying, as no user waits on a browser screen for several minutes, and usually keeps trying until all oidldapd backend processes hang. It is a little better than 10.1.2. That version was so dumb that it tried two connections before giving up and going to the secondary, even if you did not setup SSL.
For this last one the recommendation on metalink is to put a loadbalancer in front of the domain controllers and configure the plugin to connect to it.
Regards,
Luis -
We have installed newly EPM Product suite in Windows server.......After loggin into Essbase Administration Services, on connecting to the Essbase servers, i am getting the below error........"Error: 1051203: Single Sign On External Authentication is Disabled"....because of this i am also not able to configure the Data Source in Planning Application..
Error: 1051203: Single Sign On External Authentication is DisabledCheck the essbase.log, do you see the following when Essbase was first started up.
User Migration to Shared Services Completed Successfully and Refresh from Shared Services Starts
Refresh from Shared Services Completed Successfully
If not you may need to stop essbase, rename the essbase.sec and start up again, check the log for the above.
Cheers
John
http://john-goodwin.blogspot.com/ -
OID external authentication - having trouble excuting oidspadi.sh
Hi all,
I am setting up External Authentication for OID, and have trouble with it. My version is Oracle application server infrastructure 10.1.2 (OID 10.1.2) on windows.
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ export ORACLE_HOME="E:\oracle\OraInfra"
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ sh oidspadi.sh
oidspadi.sh: line 28: $'\r': command not found
oidspadi.sh: line 38: $'\r': command not found
oidspadi.sh: line 43: $'\r': command not found
oidspadi.sh: line 47: $'\r': command not found
oidspadi.sh: line 51: $'\r': command not found
oidspadi.sh: line 58: $'\r': command not found
oidspadi.sh: line 59: $'\r': command not found
oidspadi.sh: line 60: $'clear\r': command not found
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
oidspadi.sh: line 67: $'\r': command not found
oidspadi.sh: line 70: $'\r': command not found
oidspadi.sh: line 103: syntax error near unexpected token `fi'
'idspadi.sh: line 103: ` fi
Edited by: Hailie on Jan 16, 2009 8:05 AM
Edited by: Hailie on Jan 16, 2009 8:45 AM
Edited by: Hailie on Jan 16, 2009 11:32 AMAfter I removed all the blank lines in oidspadi.sh:
hailie@Server1 /cygdrive/e/oracle/OraInfra/ldap/admin
$ sh oidspadi.sh
oidspadi.sh: line 53: $'clear\r': command not found
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
oidspadi.sh: line 91: syntax error near unexpected token `fi'
'idspadi.sh: line 91: `fi
Thank you for your help.
Hailie
Edited by: Hailie on Jan 16, 2009 8:43 AM
Edited by: Hailie on Jan 16, 2009 8:46 AM
Edited by: Hailie on Jan 16, 2009 11:36 AM -
Oracle Security - External Authentication
The requirement is to enable the user to allow access to DB by making the user enter the user name and password only once while accessing the Cognos reports. (Cognos is a BI tool). So the user will enter the username and password at the time he accesses the Cognos application, after this there should not be any logons to access DB.
Cognos stores the user name and password in a LDAP store (in NDS residing on Windows 2000 Advanced Server). So, the question is, can Oracle leverage on the user information stored in the LDAP for Cognos? The external authentication provided by Oracle suggests that if the user info store can be in LDAP provided it is in OID.
Please let me know if this can be achieved and if so, where can I get details about the same.According to the 8.1.7 documentation:
"Enterprise user security provides single sign-on to Oracle8i using interoperable X.509 v3 certificates over Secure Sockets Layer (SSL) v3, and supports the following LDAP-compliant directory services:
Oracle Internet Directory Release 2.0.5 or later
Microsoft Active Directory "
So it sounds like they do not support Novell's LDAP implementation.
Here's a page on managing Enterprise Users http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/network.817/a85430/asomeus.htm
Here's a page on managing OS Authentication -http://technet.oracle.com/doc/windows/server.815/a68694/output/ch10.htm
I just finished writing a chapter on OS Authentication in my Oracle security book. I would stay away from OS Authentication unless you have a small number of users. I have not yet researched Enterprise Users, but the concensus seems to be that they provide a much more robust solution. -
Creating Externally Authenticated users
Greetings,
We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
Thanks
BraddWe recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
I don't understand what you are trying to do.
Post your full sql developer info and explain in detail what you mean; with an example if possible.
You can create users in the DB the way you do with any tool: write the appropriate DDL for CREATE USER. For OS authentication you add the OS_AUTHENT_PREFIX to the user name.
In sql developer create connections for those users using the connections dialog that you use for any other user. On that dialog there is a checkbox for OS authentication.
See this article by Sue Harper and see if the example for local OS authentication she provides answers your question:
http://www.oracle.com/technetwork/issue-archive/2008/08-may/o38sql-102034.html
To configure local OS authentication for a new user, first find the value of the OS_AUTHENT_PREFIX database initialization parameter in your system's init.ora file. When you create this new user in the database, you must add this parameter value as a prefix to the OS username. The default value is OPS$, for backward compatibility with earlier database releases. (If the value is "", the OS username and the database username are the same, so you don't need to add a prefix to create the Oracle usernames.)
Establish a basic connection with the HR schema as the SYSTEM user. Execute the following from the SQL worksheet, using your database's OS_AUTHENT_PREFIX prefix and substituting your own OS username for "sue":
CREATE USER ops$sue IDENTIFIED EXTERNALLY; GRANT Connect, resource to sue;
Now create a basic connection for this user from the New / Select Database Connection dialog box. Enter a connection name; select Basic for Connection Type ; fill in the Hostname and Port fields; select OS Authentication ; and provide a SID or Service name . Click Test and Connect as before. -
Externally Authenticated Users
Dear Sirs;
I have a windows 2003 server with Oracle Database R2 installed on it. I have been trying to create an externally authenticated user but unfortunately it is not working. Are there any special procedures that I must pay attention too? I followed all the instructions that are mentioned in the documentation in the library section.
Thank you in advance for your help.
MazenDear Sirs;
I could finally solve this problem. It turned out that the registry must contain the following entry: osauth_prefix_domain with the value of 0. This entry is located in windows registry > HKEY_LOCAL_MACHINE > SOFTWARE > ORACLE > KEY_OraDb10g_home1. This entry was supposed to be there by default but for some reason it wasn't.
Anyway thanks for everyone who considered helping.
Mazen -
Proxy login from externally authenticated user
Hi Experts,
I created an externally authenticated user in database. And can login without password with below syntax.
SQL> connect / @TESTDB
Connected.
SQL> show user;
USER is "SCOTT"
This scott user has a proxy permission to another DBuser PROXY_USER.
I got the syntax but that works only from Database OS.
sqlplus [proxy_user]/
SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
SQL> connect / @TESTDB
Connected.
But the above mentioned Proxy connectivity syntax fails with below from CLIENT
SQL> connect [proxy_user]/ @TESTDB
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where <logon> ::= <username>[<password>][@<connect_identifier>] | /
But the same syntax works from Database OS!
I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
My sqldeveloper version is:
Version 2.1.1.64
Build MAIN-64.45
and sqlplus is:
SQL*Plus: Release 10.2.0.1.0
Any idea?
Thanks.
Edited by: Nadvi on Nov 18, 2010 3:09 PMHi Nadvi
If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
Through the SQLDeveloper ui
There are two ways of doing proxy logins:
where p1 is proxy user and c1 is proxy client:
1/single session method (if no 2nd password or distinguished name required)
on main connection popup
user: p1[c1]
password: p1
2/Two session method
Main Connection popup
user: p1
password p1
popup connection authentication
proxy client: c1
none or password or distinguished name
-Turloch
SQLDeveloper Team -
External Authentication general-type questions
Greetings all,
I was recently shown how to get Oracle to allow Windows NT Authentication the way SQL 2005 etc. can. I was able to get it working. It's actually simple, you just have to have this line in your SQLNET.ORA file:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
and make sure a couple initialization parameters are set (OS_AUTHENT_PREFIX to NULL and REMOTE_OS_AUTHENT to TRUE - the first can't be changed once the database is built!).
My first question is does Oracle support external authentications to operating systems other than NT, i.e. SUN, UNIX, LDAP etc? And is it a similar architecture?
Secondly, the only ways I've ever connected to Oracle are 1) through SQL*Plus, 2) Using OLE DB from Windows and 3) Using ODBC.
Is external authentication supported when logging in any way other than through OLE DB? If so, how?
Appreciating any general information!
Thanks
Joe1. The name of the product is SQL Server not SQL. SQL is a language.
2. Oracle supports all major forms of internal and external authentication. The ones you listed and many more. The docs are at http://tahiti.oracle.com
3. External authentication is support across the board. But you've got to be working with a database holding nothing more important than your mother's cookie recipes to think that operating system authentication in a Windows environment is secure: It is not.
Your first responsibility, unless you are just playing games at home or in school, is to secure the data and that means an environment more secure than the one you've chosen.
Maybe you are looking for
-
I had to create another user on my Mac, in order for Link to work. I've scanned my computer, did everything one does to remove all files associated with an application, but there must be one file still there that is causing havoc. Any know what that
-
I want to set up PASSBOOK since it was installed with os6 however when I open the app on my Iphone it show thw app store button , I tape it and I says cant connect to itunes eventhough i am connect by cable to itunes.....so I cant set up PASSBOOK any
-
A lot of times I create PDF files for my electronic designs and present them to my customers. A files under "Book" has been deleted from my computer, but still shows up as a book listed. When I use my iBook on my iPad, the book is not there which is
-
ORA-19802: cannot use DB_RECOVERY_FILE_DEST without DB_RECOVERY_FILE_DEST_S
Hi all, We are using Oracle 11g R2 RAC on OEL 5.6. After set the db_recovery_file_dest to FRA diskgroup, I forgot to set the DB_RECOVERY_FILE_DEST_SIZE, and I've started an instance, like this: SQL> ALTER SYSTEM SET db_recovery_file_dest='+FRA' SCOPE
-
Returning a number with precsion in pl/sql function
How can I return a number with desired precision in oracle function e.g Function return_number ( --- ) return number is v_number number(10,2) begin select no into v_number from table; return v_number; end; will this work