7 The Oracle Data Provider : Authentication

Authentication
Authentication protects the identity of the user so that user credentials cannot be intercepted by malicious hackers when transmitted over the network. See “Authentication” for an overview.
The Oracle data provider supports the following methods of authentication:
This method requires knowledge of how to configure your Kerberos environment and supports Windows Active Directory Kerberos and MIT Kerberos.
NOTE: Because the database server does not authenticate the user when client authentication is used, use this method of authentication if you can guarantee that only trusted clients can access the database server.
Except for NTLM authentication, which provides authentication for Windows clients only, these authentication methods provide authentication when the data provider is running on any supported platform.
Using the Authentication Method Connection String Option
The Authentication Method connection string option controls which authentication mechanism the data provider uses when establishing connections. When Authentication Method=UserIDPassword (the initial default), the data provider uses the Oracle user ID/password authentication when establishing a connection based on the following criteria:
When Authentication Method=Kerberos, the data provider uses Kerberos authentication when establishing a connection. The data provider ignores any values specified by the User and Password properties.
When Authentication Method=KerberosUserIDPassword, the data provider first uses Kerberos when establishing a connection. Next, the data provider reauthenticates the user using user ID/password authentication. The User ID connection string option provides the user ID. The Password connection string option provides the password. If a user ID and password are not specified, the data provider throws an exception. If either Kerberos or user ID/password authentication fails, the connection attempt fails and the data provider throws an exception.
When Authentication Method=NTLM, the data provider uses NTLM authentication when establishing a connection if the data provider can load the DLL required for NTLM authentication. If the data provider cannot load the DLL, the data provider throws an exception. The data provider ignores any values specified by the User ID and Password properties.
When Authentication Method=Client, the data provider uses client authentication when establishing a connection. The Oracle database server relies on the client to authenticate the user and does not provide additional authentication. The data provider ignores any values specified by the User ID and Password connection string options.
When Authentication Method=UserIdPassword, the data provider uses user ID/password authentication when establishing a connection. The User connection string option supplies the user ID. The Password connection string option supplies the password. If a user ID is not specified, the data provider throws an exception.
NOTE: If any of these values are set, the data provider also can use data encryption by setting the Encryption Method connection string option.
Configuring User ID/Password Authentication
1
2
3
Configuring Kerberos Authentication
Verify that your environment meets the requirements listed in Table 7-6 before you configure the data provider for Kerberos authentication.
 
Specifying User Credentials for Kerberos Authentication (Delegation of Credentials)
By default, when Kerberos authentication is used, the Oracle data provider takes advantage of the user name and password maintained by the operating system to authenticate users to the database. By allowing the database to share the user name and password used for the operating system, users with a valid operating system account can log into the database without supplying a user name and password.
Many application servers or Web servers act on behalf of the client user logged on the machine on which the application is running, rather than the server user. If you want the data provider to use a set of user credentials other than the operating system user name and password, you must include code in your application to define the credentials.
Obtaining a Kerberos Ticket Granting Ticket
To use Kerberos authentication, the application user first must obtain a Kerberos Ticket Granting Ticket (TGT) from the Kerberos server. The Kerberos server verifies the identity of the user and controls access to services using the credentials contained in the TGT.
If the application uses Kerberos authentication from a Windows client and the Kerberos authentication is provided by Windows Active Directory, the application user is not required to log onto the Kerberos server and explicitly obtain a TGT. Windows Active Directory automatically obtains a TGT for the user.
The application user must explicitly obtain a TGT in the following cases:
Configuring Client Authentication
Set the Authentication Method connection string option to Client. See “Using the Authentication Method Connection String Option” for more information about setting a value for this property.
Configuring NTLM Authentication
This section provides requirements and instructions for configuring NTLM authentication for the Microsoft SQL Server data provider.
Product Requirements
Verify that your environment meets the requirements listed in Table 7-7 before you configure your environment for NTLM authentication.
Configuring the Data Provider
To configure the data provider, set the Authentication Method connection string option to NTLM. See “Using the Authentication Method Connection String Option” for more information about setting a value for this connection string option.