Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
January 2013
Introduction ....................................................................................... 2
1. Understanding Kerberos Concepts ................................................ 2
1.1 JDBC And Kerberos………………………………………………...3
1.2 Microsoft Active Directory KDC…………………………………...3
2. Oracle JDBC Thin Driver And JAAS…………………………………..4
3. Kerberos Authentication In JDBC .................................................. 5
3.1 Windows Native Cache……………………………………………..5
3.2 File Cache ............................................................................. 39
Windows 2008 Active Directory ....................................................... 23
Conclusion ...................................................................................... 24
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
Introduction
Modern computer systems provide service to multiple users and require the ability to
accurately identify the user making a request. In traditional systems, the user’s identity is
verified by checking a password typed during login; the system records the identity and uses it
to determine what operations may be performed. Password based authentication is not always
the ideal solution for all computer systems. Kerberos offers more flexibility for security
administrators than the password based authentication.
1) AS Exchange:
When initially logging on to a network, a user first negotiates access by providing a log-in name and
password to the KDC. The AS service in the KDC verifies the details and on successful authentication
provides a Ticket To Get Ticket (TGT), which is cached locally on the client machine.
2) TGS Exchange
2
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
The user presents the TGT to the TGS portion of the KDC when he wishes to access a server service.
The TGS authenticates the user’s TGT and provides a service ticket.
3) Client/server Exchange
Once the client user has a service ticket, he can establish a session with the server service.
Oracle JDBC Driver 11g provides support for Kerberos. The Oracle JDBC thin driver can
authenticate to an Oracle Database by communicating with the KDC’S Authenticating Service and
Ticket Granting Service. Kerberos programming in java is done via two components:
JAAS provides a login module (Krb5LoginModule) which authenticates users using the kerberos
protocol. . JDBC uses JAAS to obtain credentials from the KDC and perform initial authentication and
JGSS to contact a kerberos service. For more information on JGSS and JAAS, refer to the following
article:
http://java.sun.com/javase/6/docs/technotes/guides/security/index.html
Microsoft Active Directory is a directory service of the Windows Operating System that facilitates
working with different resources connected in a complex network in a unified manner. Active
Directory was initially released with Windows 2000 Server and then revised with additional features in
Windows Server 2008. The network services which Active Directory offers can be summarized as
below :
3
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
4) Data availability in multiple servers with concurrent updates to provide better scalability.
In this paper, we will use Microsoft Windows 2003 Active Directory to illustrate how JDBC thin uses
kerberos to authenticate to the Oracle Database Server. We will also discuss Windows 2008 Active
Directory briefly and specify the requirements to cater to the new encryption types introduced in this
version.
The Oracle JDBC 11g thin driver uses the JAAS Krb5LoginModule to obtain the initial credentials
from Microsoft Active Directory KDC. The Krb5LoginModule has several options which control the
authentication process. We will discuss the options relevant to JDBC:
useTicketCache : If this option is set to “true”, the credentials will be obtained from the ticket cache
.The default value is “false”. The ticket cache can be an operating system file cache or a memory cache
(LSA cache) on Winodws platforms. On Solaris and Linux the default location of the file ticket cache
is /tmp/krb5cc_uid, where uid is the numeric user identifier. On Windows, the default location is
{user.home}{file.separator}.krb5cc_{user.name}. On Windows, if a ticket cannot be retrieved from
the file ticket cache , the LSA memory cache will be used.
ticketCache : This option specifies the name of the ticket cache if you wish to override the default
ticket cache.
doNotPrompt: If this option is set to “false”, the credentials will not be obtained from a ticket cache
and the user will be prompted for a password to get the credentials directly from the KDC. The default
value is “false”.
For more information about the Krb5LoginModule, refer to the following documentation:
http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/mod
ule/Krb5LoginModule.html
The Oracle JDBC driver invokes Krb5LoginModule with the options useTicketcache=true and
doNotPrompt=true. It is possible to override the values used by the JDBC driver by default and use
different values to suit your needs. The Oracle Database JDBC Developer’s Guide, 11g Release 2
(11.2) (http://download.oracle.com/docs/cd/E14072_01/java.112/e10589.pdf) gives you an example
how to get the credentials directly from the KDC, instead of using a ticket cache.
4
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
In this paper we will only discuss how the JDBC driver uses the file and memory ticket caches to
authenticate to the Oracle Database.
We will now discuss in detail how to configure Microsoft Active Directory, Oracle Database Server
and Oracle JDBC thin driver to use Kerberos Authentication. The Oracle JDBC thin driver can use the
TGT stored in a file based ticket cache or a memory cache (also known as LSA cache or Windows
Native Cache) in windows clients. Depending on whether the File Cache or the Windows Native
Cache is used, there are a few differences in the configuration for the JDBC Thin Client.
When JDBC uses the Windows Native Cache, the JDBC Thin Client should be in the same domain as
the Active Directory Server. When a domain user created in Active Directory logs into any machine in
the domain, the TGT is obtained from Active Directory as a part of the login process and stored
locally in the memory. The Oracle Database Server does not have to be in the same domain as the
Active Directory Server and can be on a windows or unix platform.
Environment Details
5
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
JDBC Client:
Host name: myclient.us.oracle.com
Microsoft Windows 7
JDBC driver 11.2.0.1
Part 1: Configure Oracle Kerberos Client to Interoperate with Windows Server 2003 KDC
The following steps are to be performed on the Oracle Database server, the Kerberos Client.
1) Install Kerberos Software on the Kerberos Client
Install the Kerberos software on the Oracle database server, the Kerberos Client. In this case, Oracle
is installed on Oracle Enterprise Linux , that provides MIT-compliant Kerberos client/server
software.
The following command, can be used to verify the required Kerberos client packages are installed.
For example:
$ rpm -qa | grep -i krb5
krb5-workstation-1.2.7-44
pam_krb5-1.73-1
krb5-libs-1.2.7-44
# /etc/krb5.conf:
[libdefaults]
default_realm = MYREALM.VM.ORACLE.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_etypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
6
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
# /etc/hosts:
127.0.0.1 localhost.localdomain localhost
10.240.171.53 mykdc.us.oracle.com mykdc
mykdc.myrealm.vm.oracle.com myrealm.vm.oracle.com myrealm
10.245.24.198 mydb.us.oracle.com mydb
# /etc/services:
kerberos 88/tcp kerberos5 krb5 # Kerberos v5
kerberos 88/udp kerberos5 krb5 # Kerberos v5
Note: Kerberos, including Active Directory, is highly case sensitive, therefore make sure to specify the
Active Directory realm name (@MYREALM..VM.ORACLE.COM) in upper case.
3) Ensure Oracle Kerberos Authentication Adapter is Installed on the Oracle Kerberos Client
Verify that the Oracle Kerberos Authentication adapter is installed on the Oracle database server, and
is linked into the oracle executable.
To check that the Kerberos authentication adapters is installed, run the
$ORACLE_HOME/bin/adapters command.
For example.
$ cd $ORACLE_HOME/bin
7
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
$ ./adapters
Installed Oracle Advanced Security options are:
......
Kerberos v5 authentication
RADIUS authentication
If the Kerberos Authentication adapter is not listed, run the Oracle Installer and perform a custom
installation to install the Advanced Security Option.
Part 2: Configure Windows 2003 Domain Controller KDC to Interoperate with a Kerberos Client
The following steps are to be performed on the Microsoft Active Directory Server, the Kerberos
Server.
4) Create New User for the Kerberos Client in Microsoft Active Directory
[Account tab:]
User logon name: test@myrealm.vm.oracle.com
User logon name (pre-Windows 2000): MYREALM\test
8
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
Before Kerberocised clients, such as Oracle, can request Active Directory 2003 to encrypt service
tickets using client-defined encryption types, Windows Server 2003 must first be patched to allow this.
Due to the restriction described by http://support.microsoft.com/default.aspx?scid=kb;en-us;833708,
apply the hotfix or Windows Server 2003 Service Pack 1, implement registry parameter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\KdcUseRequestedEtypesFo
rTickets of type of REG_DWORD and value Hex 1, then restart the Kerberos KDC service.
Using Active Directory Users and Computers, create a new user to be used for the Oracle database
service principal.
Assuming the Oracle database runs on host mydb.us.oracle.com, create a user with a service principal
username of mydb.us.oracle.com and password of oracle.
For example:
[General tab]
First Name: mydb
Display Name: mydb
[Account tab:]
User logon name: mydb@myrealm.vm.oracle.com
User logon name (pre-Windows 2000): MYREALM\mydb
[Account Options:]
Password never expires.
Note: Do not select the 'User must change password on next logon' option.
Complete the creation of the Oracle database service principal user in Microsoft Active Directory using
Microsoft's ktpass.exe utility.
The ktpass utility is provided as part of Windows Server 2003 Support Tools, available from
http://support.microsoft.com/kb/892777.
Note. Be sure to only use the Windows 2003 version of ktpass to create AD users, and not that from
Windows 2000.
The following command modifies the service principal account to use DES encryption types, alters the
service name format to incorporate a service name of oracle and extracts the key table to a file - this is
required by the database server running on host mydb.us.oracle.com.
9
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
For example:
C:\Documents and Settings\Administrator.>ktpass /princ
oracle/mydb.us.oracle.com@MYREALM.VM.ORACLE.COM /mapuser MYREALM\mydb /pass
mypassword +desonly /crypto des-cbc-md5 -out c:\temp\keytab.mydb /ptype
KRB5_NT_PRINCIPAL
After run ktpass, add a Service Principal Names (SPN) with setspn tool.
Note: Must type in the setspn cmd other than copy and paste it!
http://social.microsoft.com/Forums/en/crmdeployment/thread/218667e1-2e31-44f0-b0d4-
0f4f5805b05f
For example:
C:\Documents and Settings\Administrator.>setspn -A
oracle/mydb.us.oracle.com/MYREALM.VM.ORACLE.COM mykdc
Registering ServicePrincipalNames for CN=MYKDC,OU=Domain
Controllers,DC=MYREALM,DC=VM,DC=ORACLE,DC=COM
oracle/mydb.us.oracle.com/MYREALM.VM.ORACLE.COM
Updated object
10
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
......
Note: Kerberos, including Active Directory, is highly case sensitive, therefore make sure to specify the
Active Directory realm name (MYREALM.VM.ORACLE.COM) in upper case.
After running ktpass.exe and setspn, Active Directory Users and Computers should display the
modified user properties for service principal mydb.
For example:
[General tab]
First Name: mydb
Display Name: mydb
[Account tab:]
User logon name: oracle/ mydb.us.oracle.com@myrealm.vm.oracle.com
User logon name (pre-Windows 2000): MYREALM\mydb
[Account Options:]
Password never expires.
Use DES encryption types for this account
When selecting passwords for users/service principals, passwords must comply with the domain
password policy.
By default, Windows Server 2003 Active Directory enforces a password policy that; is not account
name-based, contains a minimum 6 characters in length, contains characters from at least three of the
following groups - A-Z (upper), a-z (lower), 0-9 (numeric), non-alphanumeric characters (e.g.
punctuation).
The default domain password policy can be displayed or changed using Administrative Tools' Default
Domain Security Settings by clicking Security Settings, Account Policies, Password Policy. If modified,
run 'C:\> gpupdate /force' for user/group policy changes to take immediate effect. All changes made
affect the entire domain.
Where multiple databases exist on different servers, you must configure separate service principal
usernames for each database host.
11
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
Additionally, as a precaution, you might consider changing the keytab file name to reflect the target
host for which it was created e.g. keytab. mydb.
Whilst the same service name may be used by different database hosts, Active Directory limits one
service for each service principal user.
Binary copy (ftp) the key table generated from running ktpass.exe (c:\temp\keytab. mydb) to the
appropriate Oracle database server.
Part 3: Configure Oracle Database to Interoperate with Windows Server 2003 Active Directory
The following steps are to be performed on the Oracle Database server, the Kerberos Client.
For example:
Generally directory: # /u03/app/oracle/product/11.2.0/network/admin/sqlnet.ora; in this case,
$T_WORK/sqlnet.ora.
NAMES.DIRECTORY_PATH=(TNSNAMES)
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_KEYTAB=/etc/keytab.mydb
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_CONF_MIT=true
SQLNET.AUTHENTICATION_SERVICES=(beq,kerberos5)
Copy the key table file (keytab. mydb) generated from Active Directory 2003 to the location specified
by parameter SQLNET.KERBEROS5_KEYTAB.
12
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
The default value of parameter OS_AUTHENT_PREFIX is "OPS$" which, for externally identified
database users created without this prefix, may result in Oracle error ORA-1017: 'invalid
username/password; logon denied'. A limit of 30 characters exists for database usernames - the longer
the Active Directory realm name, the shorter usernames may be. Using the default value may limit the
maximum length of externally identified usernames, resulting in ORA-978: 'identifier is too long'.
Then connect the database with sysdba and restart the database:
13
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
Part 4 - Configure the Oracle Database Client to Interoperate with the Oracle Database Server
14
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )
(By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT. )
Reference :
http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
For Windows 7/Windows Vista clients domain users who are members of the local administrator
group as well , disable UAC as described below:
a) Open User Account Control Settings, type UAC in the Start Search box, and then change User
Account Control settings in the Control Panel window.
Move the slider to the lowest setting (Never Notify), and then click OK. Restart your computer for
the changes to take effect
(OR)
10) Copy the Kerberos configuration file for the Oracle Client
Copy the krb5.ini configuration file from the Win 2003 server to the Win7 client and place it in the
c:\windows directory
[libdefaults]
15
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
default_realm = MYREALM.VM.ORACLE.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_etypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_etypes_des = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
MYREALM.VM.ORACLE.COM = {
kdc = mykdc.us.oracle.com
}
[domain_realm]
.us.oracle.com = MYREALM.VM.ORACLE.COM
us.oracle.com = MYREALM.VM.ORACLE.COM
Click on Start – My Computer – Right Mouse Click - Properties - Select Computer Name Tab -
To Rename this Computer or Join a domain click change – change domain to
MYREALM.VM.ORACLE.COM .Provide Administrator username/password for the Active
Directory Server.
Log into the Windows 7 client machine as active directory user “test” and check if the Windows
Native Cache is populated using klist.exe utility provided with Windows 2000/2003 resource kit tools.
Note that the klist.exe utility provided with JDK or the Operating system will not provide this
functionality. For example, klist will show the following output :
16
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
C:\ >klist
12) Run the following sample JDBC program. This program connects to the database using the
Windows Native Cache
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Properties;
import oracle.jdbc.OracleConnection;
import oracle.jdbc.OracleDriver;
import oracle.net.ano.AnoServices;
{
public TestOra3() { }
17
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
"true");
System.setProperty("java.security.krb5.conf","c:/windows/krb5.ini’);
"(PORT=1521)(HOST=mydb.us.oracle.com))"+
"(CONNECT_DATA=(SERVICE_NAME=myservice.us.oracle.com)(SERVER=dedicated)))";
DriverManager.registerDriver(new OracleDriver());
Connection conn = DriverManager.getConnection(url,props);
String sql = "select {fn user()} from dual" ;
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
while (rs.next())
System.out.println("results: " + rs.getString(1));
conn.close();
Output:
results: TEST@MYREALM.VM.ORACLE.COM
Done.
18
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
JDBC can also authenticate using a file cache created by utlities like kinit or okinit. In this case, the
Oracle Database Server and the JDBC client do not have to be in the same domain as the Active
Directory Server.
Environment Details
JDBC Client:
Host name: myclient.us.oracle.com
Oracle Enterprise Linux
JDBC driver 11.2.0.3
The Active Directory and Database Configuration are the same as documented in the previous section.
The JDBC client configuration is different.
Part 1: Configure Oracle Kerberos Client to Interoperate with Windows Server 2003 KDC
Part 2: Configure Windows 2003 Domain Controller KDC to Interoperate with a Kerberos Client
Part 3: Configure Oracle Database to Interoperate with Windows Server 2003 Active Directory KDC
Note: The Part 1 to Part 3 are completely same with 3.1, so they are omitted.
19
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
Part 4 - Configure the Oracle Database Client to Interoperate with the Oracle Database Server
Oracle clients must obtain an initial Kerberos Ticket Granting Ticket (TGT) from the Kerberos KDC
before being able to connect to the Oracle database.
Failure to request and obtain the initial TGT will result in Oracle error: ORA-12638 'Credential
retrieval failure'.
To obtain an initial TGT, run the $ORACLE_HOME/bin/okinit utility on the Oracle client or kinit
for general situation.
For example:
$ kinit test
Password for test@MYREALM.VM.ORACLE.COM:
Note: the database password entered by user test is the same as that specified when user test was
created in Active Directory.
To display the list of service tickets obtained by the user, run the $ORACLE_HOME/bin/oklist or
klist utility on the Oracle client.
For example:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500220
Default principal: test@MYREALM.VM.ORACLE.COM
20
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
File krb5cc_ (credential cache), that is solely readable by the user, is created in /tmp directory.
For example:
$ ls -l /tmp/krb5cc_500220
-rw------- 1 user dba 1129 Jul 17 06:12 /tmp/krb5cc_500220
2) Run the following sample JDBC program. This program connects to the database using the
credentials in the File Cache
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Properties;
import oracle.jdbc.OracleConnection;
import oracle.jdbc.OracleDriver;
import oracle.net.ano.AnoServices;
{
public TestOra3() { }
System.setProperty("java.security.krb5.conf","/etc/krb5.conf’);
props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_
KRB5_CC_NAME, "/tmp/krb5cc_500220");
"(PORT=1521)(HOST=mydb.us.oracle.com))"+
"(CONNECT_DATA=(SERVICE_NAME=myservice.us.oracle.com)(SERVER=dedicated)))";
DriverManager.registerDriver(new OracleDriver());
Connection conn = DriverManager.getConnection(url,props);
String sql = "select {fn user()} from dual" ;
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
21
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
while (rs.next())
System.out.println("results: " + rs.getString(1));
conn.close();
Output:
results: TEST@MYREALM.VM.ORACLE.COM
Done.
Note:
We have discussed kerberos authentication in a simple single realm environment without credential
delegation. The Oracle JDBC driver is also capable of handling kerberos authentication in more
complex environments.
- JDBC driver 11g Release 2 has support for forwardable tickets, which allows tickets obtained
on one system to be used in another system. In the case of a file ticket cache, forwardable
tickets can be enabled by setting forwardable=true in krb5.conf file. In the case of a windows
native ticket cache, forwardable tickets are controlled by the property “Account is sensitive
and cannot be delegated” for the User Account in Active Directory.
22
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
- JDBC driver 11g Release 2 also allows cross realm authentication across multiple realms. For
example, users in one realm may need to access services available in another realm. In java,
cross realm authentication can be enabled by specifying all required target realms in the
[domain_realms] section of krb5.conf.
Windows 2008 Active Directory supports the following encryption types by default:
• AES256-CTS-HMAC-SHA1-96
• AES128-CTS-HMAC-SHA1-96
• RC4-HMAC
JDK 1.5 only supports DES encryption types. Hence JDK 1.5 based applications can only work with
Windows 2008 Active Directory by changing the default settings to allow DES encryption types as
described in the below article:
http://support.microsoft.com/kb/977321
JDK 1.6 supports the new encryption types provided by Windows 2008 Active Directory, but has a
128 bit key size restriction. This implies that 256-bit AES encryption cannot be used with the default
JDK 1.6. This restriction can be overcome by installing Java Cryptography Extension (JCE) Unlimited
Strength Jurisdiction Policy Files 6. This can be downloaded from
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
The zip file contains a couple of policy jars, which you need to copy over the top of the ones already in
the lib/security directory of your JRE.
JDBC kerberos authentication with Windows 2008 Active Directory is very similar to Windows 2003.
The following changes are required to accommodate the difference in the encryption types.
1) For JDK 1.5 based java applications, Windows 2008 default settings have to be modified to support
DES encryption types as discussed above.
2) For JDK 1.6 based applications, the keytab has to generated to allow all supported encryption types
as below:
ktpass.exe -princ oracle/mydb.uk.oracle.com@MYREALM.LOCAL - mapuser mydbbox -crypto all -
pass password -out c:\keytab
23
Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory
3) For JDK 1.6 based applications, Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files have to be installed as discussed above.
Conclusion
Authentication is critical for the security of computer systems. Traditional password based
authentication methods are not suitable or may not be very ideal for many computer
systems. The use of strong authentication methods that do not disclose passwords is
imperative. The Kerberos authentication system is well suited for authentication of users
in such environments.
The Oracle JDBC Thin Driver can be effectively configured to use kerberos
authentication to connect to the Oracle Database, thereby providing a good level of
network security for your java applications.
References
https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=331252.1
24
Kerberos Authentication With Oracle JDBC Thin Copyright © 2012, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the
Driver And Microsoft Active Directory contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
January 2013 warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
Author: Kavitha Prakash fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are
Contributing Authors: Jean de Lavarene formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
Zhenhua Ren Swati Rao means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle Corporation
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
World Headquarters
500 Oracle Parkway
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
Redwood Shores, CA 94065
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
U.S.A.
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0612
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com