Password aging for externally authenticated user

Similar Messages

• Externally Authenticated User

  Hi, My application is a Pro C / Oracle 8i based application. I was using hardcoded user ids and passwords which we removed thru externally authenticated user. Now my application is stable in production but users are complaining of very slow performance of Oracle database.
  Is this due to externally authenticated user id ? Does it impact the system performance ?
  Edited by: user594301 on Jan 21, 2009 3:01 AM

  Were you using lightweight sessions or connection pooling before and now initiating a new connection for each user?

• Creating Externally Authenticated users

  Greetings,
  We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
  Thanks
  Bradd

  We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
  I don't understand what you are trying to do.
  Post your full sql developer info and explain in detail what you mean; with an example if possible.
  You can create users in the DB the way you do with any tool: write the appropriate DDL for CREATE USER. For OS authentication you add the OS_AUTHENT_PREFIX to the user name.
  In sql developer create connections for those users using the connections dialog that you use for any other user. On that dialog there is a checkbox for OS authentication.
  See this article by Sue Harper and see if the example for local OS authentication she provides answers your question:
  http://www.oracle.com/technetwork/issue-archive/2008/08-may/o38sql-102034.html
  To configure local OS authentication for a new user, first find the value of the OS_AUTHENT_PREFIX database initialization parameter in your system's init.ora file. When you create this new user in the database, you must add this parameter value as a prefix to the OS username. The default value is OPS$, for backward compatibility with earlier database releases. (If the value is "", the OS username and the database username are the same, so you don't need to add a prefix to create the Oracle usernames.)
  Establish a basic connection with the HR schema as the SYSTEM user. Execute the following from the SQL worksheet, using your database's OS_AUTHENT_PREFIX prefix and substituting your own OS username for "sue":
  CREATE USER ops$sue IDENTIFIED EXTERNALLY;  GRANT Connect, resource to sue;     
  Now create a basic connection for this user from the New / Select Database Connection dialog box. Enter a connection name; select Basic for Connection Type ; fill in the Hostname and Port fields; select OS Authentication ; and provide a SID or Service name . Click Test and Connect as before.

• Externally Authenticated Users

  Dear Sirs;
  I have a windows 2003 server with Oracle Database R2 installed on it. I have been trying to create an externally authenticated user but unfortunately it is not working. Are there any special procedures that I must pay attention too? I followed all the instructions that are mentioned in the documentation in the library section.
  Thank you in advance for your help.
  Mazen

  Dear Sirs;
  I could finally solve this problem. It turned out that the registry must contain the following entry: osauth_prefix_domain with the value of 0. This entry is located in windows registry > HKEY_LOCAL_MACHINE > SOFTWARE > ORACLE > KEY_OraDb10g_home1. This entry was supposed to be there by default but for some reason it wasn't.
  Anyway thanks for everyone who considered helping.
  Mazen

• Proxy login from externally authenticated user

  Hi Experts,
  I created an externally authenticated user in database. And can login without password with below syntax.
  SQL> connect / @TESTDB
  Connected.
  SQL> show user;
  USER is "SCOTT"
  This scott user has a proxy permission to another DBuser PROXY_USER.
  I got the syntax but that works only from Database OS.
  sqlplus [proxy_user]/
  SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
  Copyright (c) 1982, 2010, Oracle. All rights reserved.
  Connected to:
  Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
  I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
  SQL> connect / @TESTDB
  Connected.
  But the above mentioned Proxy connectivity syntax fails with below from CLIENT
  SQL> connect [proxy_user]/ @TESTDB
  SP2-0306: Invalid option.
  Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
  where <logon> ::= <username>[<password>][@<connect_identifier>] | /
  But the same syntax works from Database OS!
  I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
  My sqldeveloper version is:
  Version 2.1.1.64
  Build MAIN-64.45
  and sqlplus is:
  SQL*Plus: Release 10.2.0.1.0
  Any idea?
  Thanks.
  Edited by: Nadvi on Nov 18, 2010 3:09 PM

  Hi Nadvi
  If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
  I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
  Through the SQLDeveloper ui
  There are two ways of doing proxy logins:
  where p1 is proxy user and c1 is proxy client:
  1/single session method (if no 2nd password or distinguished name required)
  on main connection popup
  user: p1[c1]
  password: p1
  2/Two session method
  Main Connection popup
  user: p1
  password p1
  popup connection authentication
  proxy client: c1
  none or password or distinguished name
  -Turloch
  SQLDeveloper Team

• Reporting Services through ISA server for All Authenticated Users

  Hello colleagues.
  I have MS SQL 2012 server with Reporting Services and it work via link:
  https://reports2.domain.com/reports
  In LAN all work fine, but I want publish this resource via ISA for All Authenticated Users.
  When in publish rule I configure (in Condition) "All users" - all work fine, but when I configure "All Authenticated Users" - I have trouble on web form on
  https://reports2.domain.com/reports/Pages/Report.aspx?ItemPat...  - scripts not work, because it run how "anonymous" (I see on ISA logging) and ISA block scripts.
  I can't use "All Users", because it's not secure.
  Maybe somebody publish Reporting Services through ISA server for All Authenticated Users?
  OR maybe - how on Reporting Services configure Negotiate authenticated for scripts?

  Hi Alexander,
  All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. The AuthenticationType named RSWindowsNegotiate is supported
  by Reporting Services. To configure Windows Authentication on the Report Server, please see:
  http://msdn.microsoft.com/en-us/library/cc281253(v=sql.110).aspx
  Besides, we can publish report server via ISA server. Please note that you should use a new web port number with a new listener which shouldn’t be used by other web site for report server. Reference:
  http://social.technet.microsoft.com/Forums/forefront/en-US/1cc68996-1ce6-4d88-a30d-2bfd13fba06e/how-to-publish-ssrs-2008-through-isa-2006?forum=Forefrontedgegeneral
  Hope this helps.
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support
  Katherine thanks for answer.
  Report Server service started as Domain account.
  I have in RSReportServer.config this:
  <Authentication>
  <AuthenticationTypes>
  <RSWindowsNegotiate />
  </AuthenticationTypes>
  <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel>
  <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
  <EnableAuthPersistence>true</EnableAuthPersistence>
  </Authentication>
  In web.config I have this:
  <authentication mode="Windows" />
      <identity impersonate="true" />
  I can go (from Internet through ISA) to
  https://reports2.domain.com/reports  and LogOn Authentication is work, but scripts not work, because it run how "anonymous" (I see this on ISA logging) and ISA block scripts.
  Do you know where in Reporting Services configure run scripts with Negotiate authentication?

• Hyperion Hub Required for External Authentication?

  Need to use external authentication for three products, Essbase 7.1.2, Analyzer and Reports. Do you have to use Hyperion Hub?

  Also, can you use mixed mode, some users using Essbase Native and some using Active Directory or a combination of Active Directory and NTML?

• Granting exp/imp privilege to externally authenticated user

  DB version:11.2.0.2
  OS : AIX 6.1
  We have a DB User(schema) called OPS$appuser who is externally authenticated.
  This user should be granted privilege to perform import of scott schema's dumpfile to another schema called appschema2.
  This is what appuser will be doing at the unix command line
  $ su - appuser
  $ exp / owner=scott file=scott.dmp
  $ imp / file=scott.dmp fromuser=scott touser=appschema2in short these are the DB schemas involved
  OPS$appuser -- The user performing the exp and imp
  scott       -- The schema which is being exported
  appschema2  -- The schema which OPS$appuser imports the contents in scott.dmp to.Due to security reasons, we can't grant IMP_FULL_DATABASE privilege to OPS$appuser. So, what privilege can I give to OPS$appuser to perform the above exp and imp tasks?
  Hope the exp and imp sytax i've mentioned above are correct

  None,as imp_full_database is required for this.
  Also you would better use expdp and impdp using the network_link parameter.
  Doing so, you could write a pl/sql procedure using the dbms_data_pump API to replace the command line cr*p and there will be no commandline access required anymore.
  Sybrand Bakker
  Senior Oracle DBA

• EsbCreateUser API for external authentication?

  <p>I was trying to create users using the VB API, but there is noAPI to create users with external authentication. How do we getaround this?</p>

  I am sorry. I must be sleeping while looking for the API. I found it

• Password requirements for a single user

  does anyone know of a way to change the password expiry requirements for an individual user?

  See:
  Page 291 "Managing Password Policies" of
  Oracle® Internet Directory
  Administrator’s Guide,
  10g Release 2 (10.1.2)
  Part No. B14082-01
  December 2004

• "pdf. protected by a password" error for a few users only

  Hi
  Lately I have had complaints that some of the users of my website are getting "pdf. protected by a password" errors when trying to open PDF files from our website. The files are created using abdpdf (abcpdf3.dll). For 99% of our userbase there seems to be no problem but for some we are now encountering this error. There is no password required to open the file (although there is an encryption owner password set), and the only other settings we have are that the ability to change, copy and edit are all set to false.
  There doesn't seem to be a common denominator in regards to environments that the users encountering the problem are using.
  Mac or PC users,  Windows XP/7 etc, IE, Firefox, Chrome etc.
  Just for clarification, the users are only trying to open the pdf, not edit it.
  Has anyone else encountered this issue?
  Thanks
  Steve

  It appears that this may be an issue with Firefox 25 (it seems I was misinformed about the other browsers).
  Info I got from a user:
  The error only happens in Firefox Ver 25 I tried ver 24 and it worked OK an it also works on Internet Explorer or saving the link and opening the document with Adobe reader.
  System info Windows 8.1
  Firefox Ver 25
  If this is the case is this the forum that I should be looking for answers on or should I go to Firefox for answers?
  Thanks

• View procedures, functions for OS authenticated user

  Hello,
  Using JDeveloper 9.0.3.3 on HPUX 11i.
  User 'oroot' is a OS authenticated user. Using the JDBC url in the connection wizard I was able to login to the database with a /. The URL is shown below: "jdbc:oracle:oci8:/@".
  Now, if I expand the "Procedures", "Functions", Packages", "Tables" etc. under this connection tree, nothing is listed, but from sqlplus I could see all these informations for user 'oroot'.
  For a Database authenticated user it works fine.
  -murali

  Hi,
  Are you saying what are the roles/privileges required for this user to access cubes in global AW?
  The user must have read permission to the workspace and user should have OLAP_USER role as a default role assigned.
  If accessing through Discoverer for OLAP(D4O) then D4OPUB role should also be given.
  What is the front end tool u r using to create reports?
  Thanks
  Brijesh

• Exchange Web Services for external O365 users w/UAG

  The client has UAG in use, currently, for OWA and EAS for the on-prem mailboxes.
  We have O365 Federation enabled right now using ADFS with proxies. ADFS is *not* behind the UAG firewall. sss.clientdomain.com resolves directly to the ADFS proxies. We've successfully tested the SSO redirect.
  With UAG in play, how will that affect Exchange Online mailbox users who are trying to get to OWA from their home PC? The UAG proxy is set for pre-auth to the internal AD DS.
  Is this going to be a problem for Exchange Online users using OWA and EAS? If so, how do I get around this? My goal is to make sure UAG is as small of a piece of this puzzle as possible, seeing it is nearing end-of-life.

  Exchange Online OWA users will likely have to authenticate twice here - once to get to the on-prem Exchange server for OWA through UAG, and then again at the ADFS Proxy, after the on-prem redirection. The alternative would be
  to provide Exchange Online users the separate URL, so as to connect directly to Exchange Online, and therefore only getting prompted for authentication once at the ADFS Proxy.
   

• Password protection for external hard drive

  is anyone aware of a good, reliable program which allows you to protect data on your external hard drive with a password?

  Actually, there's really no reason to make the disk image the size of the whole hard drive. It would make it convenient in a way, since the disk image would have plenty of room on it, but it would also make backups a major pain in the arse, since one minor change to one file inside the image file means the whole thing has to get backed up. If you've got a 150 GB drive, that means a change to a 4 k file requires that you back up 150 GB. (And where do you back up several incremental backups of a 150 GB file to, anyway?)
  What I would recommend is to use many smaller disk images. For example, if you've got 10 projects on the drive, each taking up, say, 150 MB, then you could make 10 disk images that are 200 MB (or more or less, depending on anticipated growth of the projects), and put the files for each project inside one image. Change one project, you only have to back up one image file, which is only a fraction of the total size of the drive. Even if you made each image file 1 GB -- an order of magnitude larger than the project files -- it would still be something you could easily back up onto a DVD, and all 10 disk images would still only take up less than 7% of a 150 GB drive.

• Home folders for AD authenticated users

  I have set up the 'Magic triangle' with OS X Mountain Lion Server and Active directory on Server 2008 R2. I only want to use AD for authentication - but still want the user to have a home folder on the Mac server - how do I go about this (500+ AD users)?
  thanks....

  Put the path to the Mac home directory in the User's AD account/profile.
  If you already have a windows server path there because they also use Windows Workstations, then you will need to extend the Active Directory Schema.
  See..
  Modifying the Active Directory Schema to Support Mac Systems
  Strategies and Best Practices for Planning, Testing, and Deploying the Mac Successfully in Your Enterprise
  October 2009
  http://giraffeit.com/wp-content/uploads/2012/02/Modifying_the_Active_Directory_S chema.pdf