Kerberos Authentication for Oracle 9i ODBC

Hi,
I want to connect to Oracle 9i database through ODBC with Kerberos Authentication. Can any one able to provide some document/Sample Code/Web Resource ???
Thanks,
Zahir

Similar Messages

Configuring Kerberos authentication for SSRS in native mode - SSRS 2008 R2-2012

Hi,
I've a SSRS native mode installation on a server and a SSAS installation on another server.
In order to configure the Kerberos authentication for SSRS native mode, I need to register one SPN for the report server service, one SPN for SSAS service and to configure SSRS to use the negotiate authentication type, isn't it?
Thanks

Hi pscorca,
If we have applications that only use Kerberos authentication and we are using RSWindowsNegotiate AuthenticationType, we must create a Service Principal Name (SPN) for the Report Server service if we configure it to run as a domain user account.
Before setting up constrained delegation, we must register a
Service Principle Name (SPN) for the Analysis Services instance. We will need the Analysis Services SPN when configuring Kerberos constrained delegation for middle tier services.
There is a document about Enabling Kerberos Authentication for Reporting Services, you can refer to it.
http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
Hoe this helps.
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support

Can we add Basic Authentication for Oracle Report 10g?

As we know, Apache supports basic Authentication, and Oracle Report 10g bases on Apache, that means Oracle Report 10g supports Basic Authentication too?
Can anyone tell me the steps on how to configure Basic Authentication for Oracle Report 10g?
Thanks for your help in Advance!
P.S.
I tried to add the following content to the file "httpd.conf" under the directory "E:\OraHome_2\Apache\Apache\conf\" (I installed report under this folder), but it doesn't work well:
<Directory "E:\OraHome_2\Apache\Apache\htdocs">
AuthType Basic
AuthName "Private Documentation Repository"
AuthUserFile "C:\Program Files\Apache Software Foundation\Apache2.2\mypasswd"
Require user yangsun
</Directory>

Answers at your duplicated thread --> Some inter view Questions Please give prefect answer help me

Regarding Kerberos authentication for webservices.

Hi,
I need to use kerberos authentication for my receiver webservice. I am working in PI7.1 . Which adapter I can use for this ( WS-RM adapter or SOAP adapter) and How to configure it for kerberos. I mean, which value of authentication parameter refers to kerberos authentication.
Regards,
Reyaz hussain

Hi Reyaz,
To tell you frankly i never come across this kerberos protocol but since you would like to use there is certainly a chance after the launch of PI 7.1. The launch has Opened the Door to the World of Web Services Reliable Messaging. "The Integration Directory enables you to easily configure scenarios where the Integration Server acts as a message hub between WS-RM-enabled applications and any other application or technical system. Thus, you can configure scenarios where either a Web Service client calls the Integration Server and the message is then routed to any other application, or the other way around where any application calls a Web Service provider via the Integration Server. In the Integration Directory you can do the complete configuration of the Integration Server inbound or outbound processing."
https://www.sdn.sap.com/irj/scn/wiki?path=/display/profile/2007/07/25/new+news&focusedcommentid=44360
Regards
joel

Enable Kerberos Authentication for OWA only

Hi guys,
Having a customer that asked me if we can enable Kerberos Authentication for OWA only?
When reading various blogposts (official and unofficial sources) it seems that this is done for the whole CASArray which means every vdir right? Is this so and shall we instead aim for using kerberos for both MAPI/Outlook Anywhere and OWA?
Found this for MAPI clients: http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
This seems to be more complicated?

Hi Fredrik,
Base on my search , I found an article which may give you some hints:
OWA publishing using Kerberos Constrained Delegation method for authentication delegation
This article is to show case how you would configure kerberos constrained delegation method for authentication delegation .We would use the OWA publishing post as reference.
Best regards,
Niko Cheng
TechNet Community Support

Kerberos Authentication for EP 7.0 Portal

We are implementing Kerberos Authentication on our EP7 Portal. In our landscape we have
2 main domains (US & INTL). In each of the domain we have several domain controllers (more than 10 each). We had the following queries:
1) We have a mix of domain controllers running on win 2000 and win 2003. Will this cause any issue with the SPNego configuration?
2) Since we have more than 10 DCs in each domain do we need to add all the DCs as KDCs in the step 2 of SPNego wizard?
System Details
1) Portal Version à EP7 SP13
2) Operating System à SunOS (sparcv9) 5.9
3) LDAP à MS ADS
4) DB à Oracle 10.2.0.2.0 - 64bit
Thanks.

Hi Lisandro,
For Q1: I don't think there should be a problem with the mixture of DCs types.
For Q2: You only need to configure one DC in the wizard (a W2003 server may be the best choice). This is just the DC that the wizard talks to during configuration.
Hope this helps,
Darren

Kerberos authentication for Excel Services

Hi,
I am configuring Keberos for Excel Service Application and facing some issue. Things i have done so far:
Configured web application to use Kerberos: Verified it from server authentication logs, klist and net mon that web application is using kerberos.
Excel service Account: domain\ExcelSVA
SQL server service account: domain\SQLSERV
C2WTS account : domain\C2wts
set spn on in using setspn - s sp/excelservices domain\ExcelSVA and delegated constarined authentication to domain\SQLSERV
then setspn - s sp/c2wts domain\C2wts and delegated constrained authentication to domain\SQLSERV.
C2WS account has impersonate identity ,logon as service and act as part of OS rights in app servers where excel and c2wt are running
Now when i try to refresh data i get error :The data connection uses Windows Authentication and user credentials could not be delegated.
The following connections failed to refresh: SQLServername port, databasename
http://technet.microsoft.com/en-us/library/ff487975.aspx
First 3 errors don't apply to me since i cant see these errors in SP log files and my sharepoint and database servers are in same domain.
For UPN, there is a email id assoisated with account that i am using and i have been using that email id to logon to other services in my company so UPN should be done too.
The Excel Services service account must have Active Directory permissions to query the object. Now this got me confusing. Where do i actually
give this? In sql server or AD? Which object does it need to query? The excel database in sql server. If it is so, then the permission needs to be granted on sql .
Also this link http://social.msdn.microsoft.com/Forums/en-US/99a3cf4f-dabc-4ac9-9ea8-afa677199ffa/kerberos-and-excel-services?forum=sharepointgeneralprevious
Microsoft solution described here is weired. I don't think sql server has c2wts or excel service application started on it. And from drop down list that is i don't know what is the solution talking of.
Does any one have any idea if i am missing any delegation or any step?
sachin

Any idea??
sachin

Windows authentication for Oracle Databases

Steps Followed For OS Authentication.
OS : Windows 2000 Server with latest Service Pack 4
Database: Oracle 9i.
Objective: We are having a server in which Oracle 9i database is residing.We want to create
a user that will be autheticated by Windows 2000 OS and not by Database.
The server itself is used both as a server and a client.
1. The init<sid>.ora file was modified and the parameter OS_AUTHENT_PREFIX="" was added.
2. The Oracle Instance was started using Init<sid>.ora file and not SP file.
3. An operating system account was created say Test.
4. Two groups OSDBA,OSOPER were created and Test user was made member of Administrator,Osdba,Osoper.
5. Connected to the SQL PLUS as SYS then issued the commands
Create user Test identified externally;
Grant connect,resource,create session to Test;
6.Logged off from the machine and logged into the same machine with user Test and with its
corresponding password.
7.From command prompt we tried sqlplus CONNECT / .
Ideally it should connect as the user Test but it is not connecting.
NB All the above operation was carried out in the same machine on which the database is
residing.

%ORACLE_HOME%\DATABASE\SPFILE%
Given this command also..SQL>create pfile from spfile;
>>
you can see the initSID.ora in the directory where
your spfile iswhere to see that?see in %ORACLE_HOME/database/initsid.ora
edit the initSID.ora add the line
What to edit?its a text file ,open in notepad add the line
OS_RULES=TRUE
then save the file
start the system by
startup pfile='c'it can be any path or any specific path.no it is the one from
startup pfile='c:%ORACLE_HOME\database\initsid.ora
Hope this will help
You need a pfile to chnage the server settings
Or else
issue
SQL>alter system set Os_rules=true scope=spfile;
THen restart the database as suugested by Dbaron

Unable to see ODBC driver for Oracle on ODBC Administrator

Hi,
I have installed oracle client 11g (64 bit) on window server 2008 (64 bit). I am trying to create 32 bit ODBC DSN for 32 bit application.
So from syswow64 folder, i am running odbcad32.exe but i am not able to see Oracle for OracleClient in driver list.
Can you please help me?

You need to install 32 bit client software to get the 32 bit driver. Make sure to install it into a different home, and copy over your tnsnames.ora. Unlike multiple homes of the same bits, a single 32 bit home and a 64 bit home play fairly well together.
Hope it helps,
Greg

Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
Given below are the steps of installation and configuration.
Installation till basic authentication:
The installation has been done in a
single server.
Installed SQL Server 2012 (Developer version).
Selected only the following features:
Database Engine Services
Analysis Services
Reporting Services – SharePoint
Reporting Services Add-in for SharePoint Products
Management Tools – Basic
- Management Tools - Complete
2. Installed SQL Server 2012 SP1.
3. Installed SQL Server 2012 SP2.
  4. Installed SharePoint Foundation 2013.
5. Created web application (without Kerberos; we did not even create the SPNs).
      The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
account.
6. Created Site Collection.
7. Verified that Reporting Services is not installed.
8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
9. Verified that Reporting Services is installed.
10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
12. Created a Site.
  13. Created a Data Connection library with “Report Data Source” content type.
14. Created a Report Model library with “Report Builder Model” content type.
15. Created a Report library with “Report Builder Report” content type.
16. Uploaded an SMDL to the Report Model library.
  17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
  18. Able to create and save a report using Report Builder.
Hence, basic authentication is working and SSRS is able to connect to Oracle database.
Next we have to configure Kerberos settings between SharePoint and SQL Server.
Implementation of Kerberos authentication
In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config and added the Authentication Types of RSWindowsNegotiate
and RSWindowsKerberos.
2. Set up the following SPNs.
               a) SQL Server Database Engine service (sqlDbSrv2):
                setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
             In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
b) Account: SharePoint Setup Admin account (spAdmin2)
     setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                In the Delegation tab of the account, selected "Trust this user for delegation to any  service
(Kerberos only)".
c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                   setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                   setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                   In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
3. Configure the Web Application to use “Negotiate (Kerberos)”.
4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
     The Event Viewer logged the login process for the SharePoint Administration account as
Negotiate and not Kerberos.
5. Implemented Kerberos for Oracle database and client.
     Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
6. Turn on Windows Firewall.
7. While testing the site's data connection using Kerberos settings, got the error
“Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
      Note: The Data Connection for basic authentication still worked.
8. Created a Claims to Windows Token Service account (spC2WTS2).
9. Started the Claims to Windows Token Service.
10. Registered the Claims to Windows Token Service account as a Managed Account.
11. Changed the Claims To Windows Token Service to use the above managed account.
12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
      Note: The Reporting Services service account is also a part of the WSS_WPG local group.
13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
      When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
      Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
      For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
      Note: The Reporting Service account already had an HTTP SPN.
19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
       For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
       The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
20. Restarted the SharePoint server.
21. Tested the data connection with the Kerberos settings again.
       Got the error
“ORA-12638: Credential retrieval failed”.
Can anyone tell me what is wrong with this setup?

http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
Problem4: ORA-12638: Credential retrieval failed
Solution: Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
Do check
http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

Kerberos Authentication Failure for POP3 After Upgrading to 10.6.5

So I just upgraded from 10.6.4 to 10.6.5 and now Kerberos authentication for POP3 from Mail fails. Kerberos authentication for SMTP outgoing mail is just fine, it's only POP3 incoming mail that fails to authenticate. POP3 Kerberos authentication still works fine for the same account from another machine running 10.5.8. The mailaccess.log file contains the following:
Nov 23 15:36:59 server master[423]: about to exec /usr/bin/cyrus/bin/pop3d
Nov 23 15:36:59 server pop3[423]: executed
Nov 23 15:37:00 server pop3[423]: accepted connection
Nov 23 15:37:00 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
Nov 23 15:37:01 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
Nov 23 15:37:04 server pop3[423]: badlogin: FQDN [192.168.0.4] GSSAPI
Nov 23 15:37:04 server master[52]: process 423 exited, status 0
The server is running Mac OS X Server 10.4.11 and cannot be upgraded any further than as it is ancient hardware.
Any thoughts?
Cheers,
Derek

Makes perfect sense to me that ending one session by logging out enables him to begin a new session by logging back in. I give the young man credit for figuring out how to get around this deficiency in Parental Controls, as, deep down, I'm sure you do, too.
If you can't trust him to stick to his agreed upon half an hour a day, you can always (threaten to) lock him out of the computer for 23.5 hrs/day using the Bedtime settings. ; )

Using Kerberos authentication on Forms and Reports version 11.1.2

Hi
I have configured Kerberos authentication for Forms on the server and it works fine, but I cannot get it to work for Reports.
When I access the database for Forms I use a connect string that looks like this: /@tns_name The Forms server is running using a domain user and the database user is externally identified. It just works.
I have tried the same for Reports but it is not accepted. In the URL I have written userid=/@tns_name and the Reports server then asks for user id and password with a pre filled tns_name. I have tried to put the userid parameter in cgicmd.dat but the result is the same. Even enabled SSO in rwservlet.properties using singlesignon>yes</singlesignon> but it just do not work.
I have bounced the server every time I have made a change to be absolutely that the changes had taken effect.
The question is: How do I tell the Reports server that I do not want to apply user id and password but just the tns_name, like /@tns_name
I know Kerberos authentication is not an area that is well known and I have spent hours over the years to find out how to make the configuration work.

Questions regarding version compabilities come up quite often, yet the answer is still the same: have a look at the certification matrix http://www.oracle.com/technetwork/developer-tools/forms/oracle-forms-11gr2certmatrix-519680.xls
for installation instructions on your chosen platform have a look at the installation manual: http://docs.oracle.com/cd/E24269_01/doc.11120/e23960/toc.htm
What do you plan to do with SOA suite? This isn't needed for forms&reports.
cheers

Issue in confuguration of Kerberos authentication

Hi all
We are trying to configure Kerberos authentication for single sign-on on a SAP WAS 6.40 Java System. We configured the Kerberos using SPNEGO wizard. After configuring when we tried to login to UME, but it prompted for Username and Password which confirms that single sign on is not working.
In default trace file we got the following info
i. Key for the principal [email protected] not available in default key     tab
ii. [Krb5LoginModule] authentication failed
     Unable to obtain password from user
iii. Login module com.sun.security.auth.module.Krb5LoginModule from authentication stack com.sun.security.jgss.accept does not authenticate the caller.
iv. LOGIN.FAILED
    Unable to obtain password from user
1. Why password cannot be obtained from user?
2. Is there a default keytab other than the one created by the spnego wizard?
3. If there is one, then can we add the key for [email protected] in         that file and how?
4. How can this be resolved?
Regards
Deepu

Your log files are recording an authentication error, so that usually means your login information is incorrect, or just corrupted. Try reseting your Kerberos password, and if that doesn't work, double-check your Kerberos connectivity and configuration settings.

Real time collaboration issue after Kerberos authentication setup

Hi,
We are using SPNego (kerberos) authentication for our portal (EP 7.0 SP10). When user clicks on log off link, he comes back to the portal home page again so there is no way for the user to log off from the portal. I don't see this as a problem for the users who are not having access to collaboration. But for the users having access to collaboration, when they login to the portal second time (before expiry of the first login session which they couldn't close as log off is not working), they get warning stating
"You are logged to the same portal already. Real-time collaboration capabilities will not be available in the current portal session until you terminate the other session and then restart this one by refreshing the browser or logging on again."
How to resolve this?
Helpful answers will be rewarded
Regards,
Chandra

Most people set the logoff link to a URL which contains soem javascript which closes the browser.
Paul

Kerberos authentication

Hi,
I have set up kerberos authentication for my application, but I allways get 401 - Unauthorized.
I've done all steps from http://e-docs.bea.com/wls/docs92/secmanage/sso.html - Single Sign-On with Microsoft Clients: Main Steps.
C:\jaas.conf:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="host/[email protected]" useKeyTab=true refreshKrb5Config=true
keyTab="c:\\pc179.keytab" storeKey=true debug=true;
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="host/[email protected]" useKeyTab=true refreshKrb5Config=true
keyTab="c:\\pc179.keytab" storeKey=true debug=true;
C:\krb5.conf:
\[libdefaults\]
default_realm = CCA.CZ
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
\[realms\]
CCA.CZ = {
kdc = BOBES.CCA.CZ
\[domain_realm\]
.cca.cz = CCA.CZ
\[appdefaults\]
autologin = true
forward = true
forwardable = true
encrypt = true
I also have created security realm CCA.CZ as a copy of myrealm with WebLogic Negotiate Identity Assertion provider added.
Server is starting with parameters -Djava.security.krb5.conf=c:/krb5.conf -Djava.security.auth.login.config=c:/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=CCA.CZ -Djava.security.krb5.kdc=BOBES.CCA.CZ
When I request any secured page, the server returns 401 with WWW-Authenticate: Negotiate header. So browser sends another request with Authorization: Negotiate and ticket. Server then returns 401 without authentication header (instead of requested page - which I expect).
Can you please tell me what am I doing wrong?
(WebLogic v10.3)
Edited by: user11038158 on 15.4.2009 0:50

Hi:
Did you manage to overcome this problem? I'm having the same problem and any help would be highly appreciated.
Cheers,
Albert

Kerberos Authentication for Oracle 9i ODBC

Similar Messages

Maybe you are looking for