Active Directory and Windows Security Integration with Oracle Database Alex Keh Principal Product Manager, Windows and.NET Oracle.

<Insert Picture Here>

Active Directory and Windows Security Integration with Oracle DatabaseAlex KehPrincipal Product Manager, Windows and .NETOracle

<Insert Picture Here>

Agenda

• Database Registration and Name Resolution• Single Sign-On –Windows Native Authentication– Kerberos

• Security for Web Applications on Windows• Enterprise User Security and Virtual Directory

Database Registration and Name Resolution Overview

• Store and resolve Net names through Active Directory – Eliminate tnsnames.ora on clients– Centralize configuration, reduce administration– Authenticated connection to Active Directory (11g)

• Enhanced tools support for storing Net naming– AD Users and Computers– Oracle DB Configuration Assistant, Net Configuration

Assistant and Net Manager

Database Registration and Name ResolutionActive Directory support

Client OS Server OS AD OID Comments

Windows Windows Yes Yes

Windows Any Yes Yes

Tools for registering Net Service in AD must be run on Windows

Linux/Unix Any No YesAD Integration solutions can be used

DB Names and Connect

DescriptorsRepository

Database Registration and Name ResolutionConfiguration/Administration

WindowsAdmin

ActiveDirectory

2 – Register Schema with NetCA

ClientSystems

5 - Configure Directory Naming and AD Usage

with NetCA

1 – Ensure Admin can modify Schema in AD

3 - Create Naming Context using NetCA 4 - Register DB in AD using DBCA or Net Manager

Database Registration and Name Resolution Run-time

1 – User signs on to Desktop

2 – User issuesConnect Request

DB Names and Connect

Descriptors Repository

3 - Retrieves Connect

Descriptor

4 - Connect to DB using Connect

Descriptor (Any Platform)

OracleDB

AD/KDC

Database Registration and Name ResolutionDemo Environment

Windows XP SP2

Windows Server 2003 EE SP1

(Domain Controller)

Machine Name: xpclient.adnet.devUser: oracleDatabase Server: orcl

Machine Name: w2k3s.adnet.devDomain: adnet.dev

Tools installed on Windows XP

Support Tools (under Support directory on CD) -- ADSI  Edit is part of it

Admin Tools (under i386 directory on CD) -- AD users & computers, etc(These are available on Windows 2003 media,)

D E M O N S T R A T I O N

Database Registration and

Name Resolution

Database Registration and Name Resolution

Summary1. Ensure that Administrator can modify Schema in Active

Directory 2. Register Schema using NetCA (one time for the entire AD

forest) 3. Create Naming Context using NetCA (once per domain or the

entire forest depending on where you create it) 4. Register Database in AD using DBCA or Net Manager5. Configure Directory Naming and Directory Usage (AD) using

NetCA (on systems that want to use AD) on clients 6. Set NAMES.LDAP_AUTHENTICATE_BIND=Yes in

SQLNET.ORA on all 11g client systemsTo support pre-11g clients1. Enable anonymous bind in AD2. Change ACLs for Oracle Naming Context and Database/Net

Services objects to allow anonymous accessPlease refer to the white paper Configuring Microsoft Active Directory for Net Naming for

detailed information

<Insert Picture Here>

Agenda

• Database Registration and Name Resolution• Single Sign-On –Windows Native Authentication– Kerberos

• Security for Web Applications on Windows• Enterprise User Security and Virtual Directory • Q&A

Single Sign-On

AuthenticationClient OS

Server OS

Comments

Windows Native Authentication

Windows Windows

•Included and configured in all editions •MS KDC is used implicitly•Uses External Users mechanism•Direct support of Windows group membership for role authorization•Enterprise User Security not supported

Kerberos Any Any

•EE and ASO option needed•MS KDC is supported•Uses External Users mechanism (by default)•Enterprise User Security supported•EUS and AD integration solutions needed to support authorization through Windows group membership

Windows Native Authentication

• Enabled by default and can work across systems• Very easy to configure and use • Windows user logon credentials used for database

authentication • Authentication protocol (Kerberos or NTLM) negotiated

based on OS and Domain Controller • Oracle Administration Assistant can be used to manage

user authentication and role authorization• Independent of Database Registration and Name

Resolution feature

Windows Native AuthenticationUse of Windows Groups

• ORA_DBA: all members get SYSDBA privileges • ORA_OPER: all members get SYSOPER privileges • For any other Windows user, an external user needs to

be created in Oracle DB– create user “Sales\frank” identified externally;

• Windows groups can be used to assign roles (if os_roles is true)– create role sales identified externally;– Corresponding Windows group for a database with SID orcl:

ORA_orcl_sales_d if this should be a default role

(If Oracle Administration Assistant is used, it makes appropriate changes in AD and Database)

Windows Native Authentication

2 - Userattempts

to sign on to Oracle

1 - Usersigns on to desktop

4 - Identify as specific External User

5 – Find Windows Group memberships (if os_roles is true)

3 – Negotiate security protocol

and exchange security tokens

6 – Assign roles based on DB roles or group memberships (based on os_roles)

Oracle DB

AD/KDC

Windows Native AuthenticationConfiguration

• Set os_authent_prefix to “” in init.ora • Ensure that sqlnet.authentication_services is set to NTS

in sqlnet.ora (default set up) • Set os_roles to true in init.ora if you want to use Windows

Group Membership for role authorization

D E M O N S T R A T I O N

Windows Native Authentication

Kerberos Authentication

• Integrated with Microsoft Key Distribution Center (MSKDC)

• Supports heterogeneous systems– A Windows client can connect to a non-Windows server and vice

versa

• Uses External User mechanisms in Database • Can also be supported with Enterprise User Security • EE and ASO (Advanced Security Option) feature

Kerberos Enhancements

• Constrained Delegation support for better support of Windows middle tier applications

• Connected User dblink support over Kerberos • IPv6 Support • Stronger encryption algorithms (AES)

– Support default encryption type supported by MS KDC

• Use DNS Domain Name as Kerberos REALM name by default

• Kerberos authentication to Oracle database in a MS cross-domain setup

• Removal of 30 character limit on the Kerberos user name

Kerberos AuthenticationWindows Client Configuration

• Create Kerberos and sqlnet configuration files using Oracle Net Manager – Set sqlnet.kerberos5_cc_name to “OSMSFT:” in sqlnet.ora so that

the credential is retrieved from Microsoft Credential Cache

Kerberos AuthenticationServer configuration (non-Windows)

• Create Kerberos and sqlnet configuration files on the server using Oracle Net Manager

• Create user in Active Directory for Database Server • On the Domain Controller, use ktpass utility (available

from Microsoft) to – Create Database Service Principal in AD– Map the Principal to AD user– Create keytab file

• Copy keytab file to DB server node• Set os_authent_prefix to “” in init.ora

Kerberos Authentication

Userattemptsto sign on to Oracle

Usersigns on

to desktop

Example: SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS '[email protected]'; SQL> Grant connect, resource to KRBUSER;

OracleDB

AD/KDC

Identify as specific External User and assign DB roles accordingly

<Insert Picture Here>

Agenda

• Database Registration and Name Resolution• Single Sign-On –Windows Native Authentication– Kerberos

• Security for Web Applications on Windows• Enterprise User Security and Virtual Directory

Oracle

DB

Service Test Monitoring

User Communities

Web AppsOn

Windows(IIS)

Web User Authentication

Web Application to DB Authentication

Web Applications on Windows

AD/KDC

Web User Authentication Solutions

• Oracle Identity Management solutions– Integrated with Active Directory – Supports heterogeneous environments – Check

http://www.oracle.com/technology/products/id_mgmt/index.htm

• ASP.NET Membership and Role Provider for Oracle– Validate and manage user and authorization information

for your ASP.NET web applications in Oracle Database– Deployment time option– Oracle Database can be on any platform

These are Oracle provided solutions which can be used in addition to the solutions provided by Microsoft

Web Application to Database Authentication

• Windows native authentication – Run Web Applications as specific Windows users or use IIS

mechanisms for mapping Web users to Windows users – Use OS authenticated connection pool (ODP.NET supports

it)– Database must be on Windows

• Kerberos authentication can be used when Database is on a non-Windows platform

• User ID/Password– If you must use it, use Secure External Password Store (in

Oracle Wallet) to store the password securely – Database can be on any platform

• Evaluate other security solutions: Oracle Advanced Security

Recommend the use of Application Context/Client ID for end-to-end auditing and security

<Insert Picture Here>

Agenda

• Database Registration and Name Resolution• Single Sign-On –Windows Native Authentication– Kerberos

• Security Integration for Web Applications on Windows• Enterprise User Security and Virtual Directory

Identity Management Options

Enterprise User Security (EUS)

User Management 4 Databases (UM4DB)

Enterprise User Security

• Centralize user accounts and roles into enterprise directory

• Requires Oracle Virtual Directory or Oracle Internet Directory

What is Oracle Virtual Directory

• Service that aggregates identity data without consolidation reducing the time it takes to deploy LDAP, Web Service and Database applications

EUS – OVD Architecture

User Management for Databases (UM4DB)

• Provides centralized life-cycle management for databases– From hire to exit– Provides self-service

• Audit/Compliance reports

• Restricted License of OIM and OVD/OID

UM4DBUM4DB

UM4DB

OracleDatabases

SQL Server, SybaseDB2 Databases

IdentityRepository

AccessPolicies Workflow ConnectorRules

Engine

New or Existing

UserApprovalSelf

Request

Policy Engine

HelpdeskApproval

Administrator

Value: Automated Compliance Reporting

EUS and OVDSummary

• EUS centralizes database account management into a directory

• EUS works across heterogeneous operating systems

• OVD enables EUS to work with 3rd party directories without synchronization

Session Summary

• Most comprehensive solutions for integration with Active Directory and Windows Security• Support client/server and web applications • Support homogeneous and heterogeneous

environments• Oracle solutions extend Microsoft offerings

For More Information

Windows Server System Center

http://www.oracle.com/technology/windows

Oracle Net Services

http://www.oracle.com/technology/products/oraclenet/index.html

Oracle Database Security

http://www.oracle.com/technology/deploy/security/database-security/index.html

Oracle Virtual Directory (OVD)

http://www.oracle.com/identity

Oracle Identity & Access Management

http://www.oracle.com/identity

For questions, email [email protected]

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.