Kerberos Authentication for Oracle - Benefits and Recommendations
Kerberos authentication support in the Oracle Database is now included with all editions of the Oracle Database. Previously, Kerberos authentication required an Oracle Advanced Security Option license. Since this licensing change, we have been working with our clients to design and implement database user authentication using Kerberos and Active Directory. This allows for authentication and verification of database users using Active Directory without implementing other identify management products or servers. Although, it does require both server and client-side configuration.
First, we need to note that there are three options for creation of users in an Oracle database - users can be identified as:
- Locally – accounts and passwords are defined with the local database.
- Externally – accounts and passwords are defined locally but authenticated by an external service, such as an operating system or third party service (e.g. Active Directory or LDAP). This includes Kerberos.
- Globally – accounts and passwords are both defined outside the local database. Authentication must be done through an external service. This Oracle feature is called Enterprise User Security (EUS).
What is Kerberos?
Kerberos is not OS authentication. Remote OS authentication is a security option where the Oracle database allowed a connection if the user has an open session within the operating system. Remote OS Authentication is now obsolete and is no longer supported after Oracle 11gR1, however, it remains a feature only for backwards compatibility.
Kerberos is a network authentication protocol originally developed by the Massachusetts Institute of Technology (MIT). Kerberos has for years been built into Microsoft Active Directory and is designed to authenticate users to network resources, such as Oracle databases. Kerberos uses tickets and symmetric-key cryptography to eliminate the need to transmit passwords over the network.
Previously, Oracle Kerberos Authentication was a component of Advanced Security Option (ASO) - Kerberos Authentication required an ASO license per database server. As of Fall 2013, Oracle Kerberos Authentication is no longer part of ASO and it can be used with any database edition for all supported versions of the database without additional licensing. (See Note 1375853.1 for further information.)
What does this mean?
Using Kerberos can improve security and save time and money. For Kerberos authenticated users, database administrators will still need to create accounts and assign roles, but they will no longer need to worry about password resets, nor will need they need to close accounts upon termination of employment (assuming the AD account is closed).
The benefits of using Kerberos will differ per client and the identity management strategy being pursued.
- Consider Kerberos for named user accounts (end-users), not service accounts.
- Existing users will need to be altered from locally defined to external.
- Case sensitivity of user names can be an issue. Oracle by default creates usernames in upper case. AD is case in-sensitive. Kerberos authentication requires uppercase.
- The Oracle database server must be in the AD domain or, if not, the krb5.conf file needs to explicitly include it in the realm mapping.
- Oracle Kerberos authentication does not require any external Kerberos libraries to be added.
- Be sure to log Kerberos authentication events in Splunk, ArcSight, or whatever your centralized logging solution may be
If you have questions, please contact us at email@example.com.
- MIT Kerberos documentation http://web.mit.edu/kerberos/
- Master Note For Oracle Kerberos Authentication https://support.oracle.com/rs?type=doc&id=1375853.1
- Configuring Oracle Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory https://support.oracle.com/rs?type=doc&id=1304004.1
- Oracle Kerberos Troubleshooting Guide https://support.oracle.com/rs?type=doc&id=185897.1