An Oracle White Paper

January 2013

Kerberos Authentication With

Oracle JDBC Thin Driver And
Microsoft Active Directory
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

Introduction ....................................................................................... 2
1. Understanding Kerberos Concepts ................................................ 2
1.1 JDBC And Kerberos………………………………………………...3
1.2 Microsoft Active Directory KDC…………………………………...3
2. Oracle JDBC Thin Driver And JAAS…………………………………..4
3. Kerberos Authentication In JDBC .................................................. 5
3.1 Windows Native Cache……………………………………………..5
3.2 File Cache ............................................................................. 39
Windows 2008 Active Directory ....................................................... 23
Conclusion ...................................................................................... 24
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

Introduction

Modern computer systems provide service to multiple users and require the ability to
accurately identify the user making a request. In traditional systems, the user’s identity is
verified by checking a password typed during login; the system records the identity and uses it
to determine what operations may be performed. Password based authentication is not always
the ideal solution for all computer systems. Kerberos offers more flexibility for security
administrators than the password based authentication.

Kerberos is a Network Authentication Protocol which can be used to overcome the

vulnerabilities in the traditional password based authentication. The Kerberos protocol name is
based on the three- headed dog figure in Greek Mythology called Kerberos. The three heads
comprise the Key Distribution Centre (KDC), the client user and the server with the desired
service to access. In this paper, I would like to discuss how the Oracle JDBC thin driver uses
kerberos and Microsoft Active Directory KDC to authenticate to an Oracle Database.

1. Understanding Kerberos Concepts

Kerberos ensures the highest level of security to network resources. The KDC holds information
about the users and servers in the network and provides two services, the Authentication Service (AS)
and Ticket Granting Service (TGS). The following three exchanges are involved when the client
initially accesses a Server resource:

1) AS Exchange:
When initially logging on to a network, a user first negotiates access by providing a log-in name and
password to the KDC. The AS service in the KDC verifies the details and on successful authentication
provides a Ticket To Get Ticket (TGT), which is cached locally on the client machine.

2) TGS Exchange

2
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

The user presents the TGT to the TGS portion of the KDC when he wishes to access a server service.
The TGS authenticates the user’s TGT and provides a service ticket.

3) Client/server Exchange
Once the client user has a service ticket, he can establish a session with the server service.

1.1 JDBC and Kerberos

Oracle JDBC Driver 11g provides support for Kerberos. The Oracle JDBC thin driver can
authenticate to an Oracle Database by communicating with the KDC’S Authenticating Service and
Ticket Granting Service. Kerberos programming in java is done via two components:

- JAAS (Java Authentication and Authorization Service) and

- Java GSS-API (Generic Security Services-Application Program Interface)

JAAS provides a login module (Krb5LoginModule) which authenticates users using the kerberos
protocol. . JDBC uses JAAS to obtain credentials from the KDC and perform initial authentication and
JGSS to contact a kerberos service. For more information on JGSS and JAAS, refer to the following
article:

http://java.sun.com/javase/6/docs/technotes/guides/security/index.html

1.2 Microsoft Active Directory KDC

Microsoft Active Directory is a directory service of the Windows Operating System that facilitates
working with different resources connected in a complex network in a unified manner. Active
Directory was initially released with Windows 2000 Server and then revised with additional features in
Windows Server 2008. The network services which Active Directory offers can be summarized as
below :

1) LDAP, an open standard used to access other directory services

2) Security Service based on the principles of SSL and Kerberos based authentication
3) Hierarchical storage of data in a centralized location for faster access and administrationn

3
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

4) Data availability in multiple servers with concurrent updates to provide better scalability.

In this paper, we will use Microsoft Windows 2003 Active Directory to illustrate how JDBC thin uses
kerberos to authenticate to the Oracle Database Server. We will also discuss Windows 2008 Active
Directory briefly and specify the requirements to cater to the new encryption types introduced in this
version.

2. Oracle JDBC Thin Driver And JAAS

The Oracle JDBC 11g thin driver uses the JAAS Krb5LoginModule to obtain the initial credentials
from Microsoft Active Directory KDC. The Krb5LoginModule has several options which control the
authentication process. We will discuss the options relevant to JDBC:

useTicketCache : If this option is set to “true”, the credentials will be obtained from the ticket cache
.The default value is “false”. The ticket cache can be an operating system file cache or a memory cache
(LSA cache) on Winodws platforms. On Solaris and Linux the default location of the file ticket cache
is /tmp/krb5cc_uid, where uid is the numeric user identifier. On Windows, the default location is
{user.home}{file.separator}.krb5cc_{user.name}. On Windows, if a ticket cannot be retrieved from
the file ticket cache , the LSA memory cache will be used.
ticketCache : This option specifies the name of the ticket cache if you wish to override the default
ticket cache.
doNotPrompt: If this option is set to “false”, the credentials will not be obtained from a ticket cache
and the user will be prompted for a password to get the credentials directly from the KDC. The default
value is “false”.
For more information about the Krb5LoginModule, refer to the following documentation:
http://download.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/mod
ule/Krb5LoginModule.html

The Oracle JDBC driver invokes Krb5LoginModule with the options useTicketcache=true and
doNotPrompt=true. It is possible to override the values used by the JDBC driver by default and use
different values to suit your needs. The Oracle Database JDBC Developer’s Guide, 11g Release 2
(11.2) (http://download.oracle.com/docs/cd/E14072_01/java.112/e10589.pdf) gives you an example
how to get the credentials directly from the KDC, instead of using a ticket cache.

4
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

In this paper we will only discuss how the JDBC driver uses the file and memory ticket caches to
authenticate to the Oracle Database.

3. Kerberos Authentication In JDBC

We will now discuss in detail how to configure Microsoft Active Directory, Oracle Database Server
and Oracle JDBC thin driver to use Kerberos Authentication. The Oracle JDBC thin driver can use the
TGT stored in a file based ticket cache or a memory cache (also known as LSA cache or Windows
Native Cache) in windows clients. Depending on whether the File Cache or the Windows Native
Cache is used, there are a few differences in the configuration for the JDBC Thin Client.

3.1 Windows Native Cache

When JDBC uses the Windows Native Cache, the JDBC Thin Client should be in the same domain as
the Active Directory Server. When a domain user created in Active Directory logs into any machine in
the domain, the TGT is obtained from Active Directory as a part of the login process and stored
locally in the memory. The Oracle Database Server does not have to be in the same domain as the
Active Directory Server and can be on a windows or unix platform.

Environment Details

Kerberos Server (Microsoft KDC):

 Host name: mykdc.us.oracle.com
 Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2
 Active Directory (incorporating Kerberos Key Distribution Centre (KDC))
 Realm name: MYREALM.VM.ORACLE.COM

Oracle Database (Kerberos Client) :

 Host name: mydb.us.oracle.com
 Oracle Enterprise Linux
 Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production with Oracle
Advanced Security Option (ASO)

5
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

JDBC Client:
 Host name: myclient.us.oracle.com
 Microsoft Windows 7
 JDBC driver 11.2.0.1

Part 1: Configure Oracle Kerberos Client to Interoperate with Windows Server 2003 KDC

The following steps are to be performed on the Oracle Database server, the Kerberos Client.
1) Install Kerberos Software on the Kerberos Client
Install the Kerberos software on the Oracle database server, the Kerberos Client. In this case, Oracle
is installed on Oracle Enterprise Linux , that provides MIT-compliant Kerberos client/server
software.
The following command, can be used to verify the required Kerberos client packages are installed.
For example:
$ rpm -qa | grep -i krb5
krb5-workstation-1.2.7-44
pam_krb5-1.73-1
krb5-libs-1.2.7-44

2) Configure Kerberos Client Configuration to Use Windows Server 2003 KDC

Modify the following system configuration files on the Oracle database server.
For example:

# /etc/krb5.conf:
[libdefaults]
default_realm = MYREALM.VM.ORACLE.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_etypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

6
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

default_etypes_des = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
MYREALM.VM.ORACLE.COM = {
kdc = mykdc.us.oracle.com
}
[domain_realm]
.us.oracle.com = MYREALM.VM.ORACLE.COM
us.oracle.com = MYREALM.VM.ORACLE.COM

# /etc/hosts:
127.0.0.1 localhost.localdomain localhost
10.240.171.53 mykdc.us.oracle.com mykdc
mykdc.myrealm.vm.oracle.com myrealm.vm.oracle.com myrealm
10.245.24.198 mydb.us.oracle.com mydb

# /etc/services:
kerberos 88/tcp kerberos5 krb5 # Kerberos v5
kerberos 88/udp kerberos5 krb5 # Kerberos v5

Note: Kerberos, including Active Directory, is highly case sensitive, therefore make sure to specify the
Active Directory realm name (@MYREALM..VM.ORACLE.COM) in upper case.

3) Ensure Oracle Kerberos Authentication Adapter is Installed on the Oracle Kerberos Client

Verify that the Oracle Kerberos Authentication adapter is installed on the Oracle database server, and
is linked into the oracle executable.
To check that the Kerberos authentication adapters is installed, run the
$ORACLE_HOME/bin/adapters command.
For example.

$ cd $ORACLE_HOME/bin

7
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

$ ./adapters
Installed Oracle Advanced Security options are:
......
Kerberos v5 authentication
RADIUS authentication

If the Kerberos Authentication adapter is not listed, run the Oracle Installer and perform a custom
installation to install the Advanced Security Option.

Part 2: Configure Windows 2003 Domain Controller KDC to Interoperate with a Kerberos Client

The following steps are to be performed on the Microsoft Active Directory Server, the Kerberos
Server.
4) Create New User for the Kerberos Client in Microsoft Active Directory

Create one or more user accounts in Microsoft Active Directory.

Users are those that will connect to the Oracle database from user workstations using Kerberos
authentication.
User test is created in the following example, though should not be confused with demonstration
database schema test.
The following user properties exist for user test in Active Directory Users and Computers.
[General tab]
First Name: test
Last Name: test
Display Name: test test

[Account tab:]
User logon name: test@myrealm.vm.oracle.com
User logon name (pre-Windows 2000): MYREALM\test

5) Create Oracle Database Service Principal in Microsoft Active Directory

8
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

Before Kerberocised clients, such as Oracle, can request Active Directory 2003 to encrypt service
tickets using client-defined encryption types, Windows Server 2003 must first be patched to allow this.
Due to the restriction described by http://support.microsoft.com/default.aspx?scid=kb;en-us;833708,
apply the hotfix or Windows Server 2003 Service Pack 1, implement registry parameter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\KdcUseRequestedEtypesFo
rTickets of type of REG_DWORD and value Hex 1, then restart the Kerberos KDC service.

Using Active Directory Users and Computers, create a new user to be used for the Oracle database
service principal.
Assuming the Oracle database runs on host mydb.us.oracle.com, create a user with a service principal
username of mydb.us.oracle.com and password of oracle.
For example:
[General tab]
First Name: mydb
Display Name: mydb

[Account tab:]
User logon name: mydb@myrealm.vm.oracle.com
User logon name (pre-Windows 2000): MYREALM\mydb

[Account Options:]
Password never expires.
Note: Do not select the 'User must change password on next logon' option.
Complete the creation of the Oracle database service principal user in Microsoft Active Directory using
Microsoft's ktpass.exe utility.
The ktpass utility is provided as part of Windows Server 2003 Support Tools, available from
http://support.microsoft.com/kb/892777.
Note. Be sure to only use the Windows 2003 version of ktpass to create AD users, and not that from
Windows 2000.
The following command modifies the service principal account to use DES encryption types, alters the
service name format to incorporate a service name of oracle and extracts the key table to a file - this is
required by the database server running on host mydb.us.oracle.com.

9
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

For example:
C:\Documents and Settings\Administrator.>ktpass /princ
oracle/mydb.us.oracle.com@MYREALM.VM.ORACLE.COM /mapuser MYREALM\mydb /pass
mypassword +desonly /crypto des-cbc-md5 -out c:\temp\keytab.mydb /ptype
KRB5_NT_PRINCIPAL

Targeting domain controller: mykdc.us.ORACLE.COM

Using legacy password setting method
Successfully mapped oracle/mydb.us.oracle.com to mydb.
Key created.
Output keytab to c:\temp\keytab.mydb:
Keytab version: 0x502
keysize 76 oracle/mydb.us.oracle.com@MYREALM.VM.ORACLE.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 6 etype 0x3 (DES-CBC-MD5) keylength 8 (0xc7387f26b9165b29)
Account mydb has been set for DES-only encryption.

After run ktpass, add a Service Principal Names (SPN) with setspn tool.
Note: Must type in the setspn cmd other than copy and paste it!
http://social.microsoft.com/Forums/en/crmdeployment/thread/218667e1-2e31-44f0-b0d4-
0f4f5805b05f
For example:
C:\Documents and Settings\Administrator.>setspn -A
oracle/mydb.us.oracle.com/MYREALM.VM.ORACLE.COM mykdc
Registering ServicePrincipalNames for CN=MYKDC,OU=Domain
Controllers,DC=MYREALM,DC=VM,DC=ORACLE,DC=COM
oracle/mydb.us.oracle.com/MYREALM.VM.ORACLE.COM
Updated object

C:\Documents and Settings\Administrator.>setspn -L mykdc

Registered ServicePrincipalNames for CN=MYKDC,OU=Domain
Controllers,DC=MYREALM,DC=VM,DC=ORACLE,DC=COM:
oracle/mydb.us.oracle.com/MYREALM.VM.ORACLE.COM

10
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

......
Note: Kerberos, including Active Directory, is highly case sensitive, therefore make sure to specify the
Active Directory realm name (MYREALM.VM.ORACLE.COM) in upper case.
After running ktpass.exe and setspn, Active Directory Users and Computers should display the
modified user properties for service principal mydb.
For example:
[General tab]
First Name: mydb
Display Name: mydb

[Account tab:]
User logon name: oracle/ mydb.us.oracle.com@myrealm.vm.oracle.com
User logon name (pre-Windows 2000): MYREALM\mydb

[Account Options:]
Password never expires.
Use DES encryption types for this account

When selecting passwords for users/service principals, passwords must comply with the domain
password policy.
By default, Windows Server 2003 Active Directory enforces a password policy that; is not account
name-based, contains a minimum 6 characters in length, contains characters from at least three of the
following groups - A-Z (upper), a-z (lower), 0-9 (numeric), non-alphanumeric characters (e.g.
punctuation).

The default domain password policy can be displayed or changed using Administrative Tools' Default
Domain Security Settings by clicking Security Settings, Account Policies, Password Policy. If modified,
run 'C:\> gpupdate /force' for user/group policy changes to take immediate effect. All changes made
affect the entire domain.

Where multiple databases exist on different servers, you must configure separate service principal
usernames for each database host.

11
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

Additionally, as a precaution, you might consider changing the keytab file name to reflect the target
host for which it was created e.g. keytab. mydb.
Whilst the same service name may be used by different database hosts, Active Directory limits one
service for each service principal user.
Binary copy (ftp) the key table generated from running ktpass.exe (c:\temp\keytab. mydb) to the
appropriate Oracle database server.

Part 3: Configure Oracle Database to Interoperate with Windows Server 2003 Active Directory

The following steps are to be performed on the Oracle Database server, the Kerberos Client.

6) Configure Oracle Net Parameters for Database Server

Add the following parameters and appropriate values to the sqlnet.ora file on the database server.
SQLNET.KERBEROS5_CONF
SQLNET.KERBEROS5_KEYTAB
SQLNET.KERBEROS5_CONF_MIT
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE
SQLNET.AUTHENTICATION_SERVICES

For example:
Generally directory: # /u03/app/oracle/product/11.2.0/network/admin/sqlnet.ora; in this case,
$T_WORK/sqlnet.ora.

NAMES.DIRECTORY_PATH=(TNSNAMES)
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_KEYTAB=/etc/keytab.mydb
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.KERBEROS5_CONF_MIT=true
SQLNET.AUTHENTICATION_SERVICES=(beq,kerberos5)

Copy the key table file (keytab. mydb) generated from Active Directory 2003 to the location specified
by parameter SQLNET.KERBEROS5_KEYTAB.

12
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

7) Configure Oracle Initialization Parameters for Database Server

Add the following parameters to the database initialization parameter file (initSID.ora, spfileSID.ora),
in this case the file is init1.ora:
OS_AUTHENT_PREFIX=""
REMOTE_OS_AUTHENT=FALSE

The default value of parameter OS_AUTHENT_PREFIX is "OPS$" which, for externally identified
database users created without this prefix, may result in Oracle error ORA-1017: 'invalid
username/password; logon denied'. A limit of 30 characters exists for database usernames - the longer
the Active Directory realm name, the shorter usernames may be. Using the default value may limit the
maximum length of externally identified usernames, resulting in ORA-978: 'identifier is too long'.
Then connect the database with sysdba and restart the database:

SQL> shutdown immediate;

Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup pfile=init1.ora
ORA-32006: REMOTE_OS_AUTHENT initialization parameter has been deprecated
ORACLE instance started.

Total System Global Area 785035264 bytes

Fixed Size 2232392 bytes
Variable Size 763367352 bytes
Database Buffers 16777216 bytes
Redo Buffers 2658304 bytes
Database mounted.
Database opened.

To check the value of initialization parameters OS_AUTHENT_PREFIX and

REMOTE_OS_AUTHENT, run the following commands:

13
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

SQL> show parameter os_authent_prefix

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix string

SQL> show parameter remote_os_authent

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_os_authent boolean FALSE

8) Create an Externally Authenticated Oracle User

Create an externally identified user in the Oracle database.
The username should be the same as that created in Active Directory in Step 6 above and appended
with the '@' symbol and Active Directory realm name.
The username must be created in upper case and quoted.
For example:
SQL> create user "TEST@MYREALM.VM.ORACLE.COM" identified externally;
User created.

SQL> grant connect, resource to "TEST@MYREALM.VM.ORACLE.COM";

Grant succeeded.

Part 4 - Configure the Oracle Database Client to Interoperate with the Oracle Database Server

The following steps are to be performed on the Oracle Client.

9) Add the registry key

The registry key allowtgtsessionkey should be added and set correctly to allow session keys to be sent
in the Kerberos Ticket-Granting Ticket.
On the Windows Server 2003 and Windows 2000 SP4, here is the required location

14
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )
(By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT. )

Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

Reference :
http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

For Windows 7/Windows Vista clients domain users who are members of the local administrator
group as well , disable UAC as described below:
a) Open User Account Control Settings, type UAC in the Start Search box, and then change User
Account Control settings in the Control Panel window.
Move the slider to the lowest setting (Never Notify), and then click OK. Restart your computer for
the changes to take effect

(OR)

b) Apply the hotfix described in Microsoft article http://support.microsoft.com/kb/942219/en-us

10) Copy the Kerberos configuration file for the Oracle Client
Copy the krb5.ini configuration file from the Win 2003 server to the Win7 client and place it in the
c:\windows directory

[libdefaults]

15
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

default_realm = MYREALM.VM.ORACLE.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_etypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_etypes_des = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
MYREALM.VM.ORACLE.COM = {
kdc = mykdc.us.oracle.com
}

[domain_realm]
.us.oracle.com = MYREALM.VM.ORACLE.COM
us.oracle.com = MYREALM.VM.ORACLE.COM

11) Obtain an Initial Ticket for the Oracle Client

Firstly, the Windows 7 client machine should join the Active Directory Domain –
MYREALM.VM.ORACLE.COM
Add the ip address of the active directory server(mykdc.us.oracle.com) as the first in the list of DNS
servers. Click on Start – My Network Places - Right mouse click on the network connection and click
“properties” from the drop down menu. In the properties window, select Internet Protocol (TCP/IP)
and click on the properties button. In the next window, add the IP adress of the active directory server
and apply the changes.

Click on Start – My Computer – Right Mouse Click - Properties - Select Computer Name Tab -
To Rename this Computer or Join a domain click change – change domain to
MYREALM.VM.ORACLE.COM .Provide Administrator username/password for the Active
Directory Server.

Log into the Windows 7 client machine as active directory user “test” and check if the Windows
Native Cache is populated using klist.exe utility provided with Windows 2000/2003 resource kit tools.
Note that the klist.exe utility provided with JDK or the Operating system will not provide this
functionality. For example, klist will show the following output :

16
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

C:\ >klist

Current LogonId is 0:0x11bb030

Cached Tickets: (1)
#0> Client: test @ MYREALM.VM.ORACLE.COM
Server: krbtgt/MYREALM.VM.ORACLE.COM @ MYREALM.VM.ORACLE.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 7/26/2012 23:46:49 (local)
End Time: 7/27/2012 9:46:49 (local)
Renew Time: 8/2/2012 23:46:49 (local)
Session Key Type: RSADSI RC4-HMAC(NT)

12) Run the following sample JDBC program. This program connects to the database using the
Windows Native Cache

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Properties;
import oracle.jdbc.OracleConnection;
import oracle.jdbc.OracleDriver;
import oracle.net.ano.AnoServices;

public class TestOra3

{
public TestOra3() { }

public void doit () throws SQLException

Properties props = new Properties();

props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_
S ERVICES, "( " + AnoServices.AUTHENTICATION_KERBEROS5 + " )");
props.setProperty(
OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_KRB5_MUTUAL,

17
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

"true");
System.setProperty("java.security.krb5.conf","c:/windows/krb5.ini’);

String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)"+

"(PORT=1521)(HOST=mydb.us.oracle.com))"+
"(CONNECT_DATA=(SERVICE_NAME=myservice.us.oracle.com)(SERVER=dedicated)))";

DriverManager.registerDriver(new OracleDriver());
Connection conn = DriverManager.getConnection(url,props);
String sql = "select {fn user()} from dual" ;
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
while (rs.next())
System.out.println("results: " + rs.getString(1));
conn.close();

public static void main(String[] args)

{

TestOra3 test = new TestOra3 ();

try
{
test.doit();
System.out.println(“Done”);
}
catch (SQLException e)
{
e.printStackTrace();
}
}

Output:
results: TEST@MYREALM.VM.ORACLE.COM
Done.

3.2 Operating System File Cache

18
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

JDBC can also authenticate using a file cache created by utlities like kinit or okinit. In this case, the
Oracle Database Server and the JDBC client do not have to be in the same domain as the Active
Directory Server.

Environment Details

Kerberos Server (Microsoft KDC):

 Host name: mykdc.us.oracle.com
 Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2
 Active Directory (incorporating Kerberos Key Distribution Centre (KDC))
 Realm name: MYREALM.VM.ORACLE.COM

Oracle Database (Kerberos Client) :

 Host name: mydb.us.oracle.com
 Oracle Enterprise Linux
 Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production with Oracle
Advanced Security Option (ASO)

JDBC Client:
 Host name: myclient.us.oracle.com
 Oracle Enterprise Linux
 JDBC driver 11.2.0.3

The Active Directory and Database Configuration are the same as documented in the previous section.
The JDBC client configuration is different.
Part 1: Configure Oracle Kerberos Client to Interoperate with Windows Server 2003 KDC
Part 2: Configure Windows 2003 Domain Controller KDC to Interoperate with a Kerberos Client
Part 3: Configure Oracle Database to Interoperate with Windows Server 2003 Active Directory KDC

Note: The Part 1 to Part 3 are completely same with 3.1, so they are omitted.

19
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

Part 4 - Configure the Oracle Database Client to Interoperate with the Oracle Database Server

The following steps are to be performed on the Oracle Client.

1) Obtain an Initial Ticket for the Oracle Client

Oracle clients must obtain an initial Kerberos Ticket Granting Ticket (TGT) from the Kerberos KDC
before being able to connect to the Oracle database.
Failure to request and obtain the initial TGT will result in Oracle error: ORA-12638 'Credential
retrieval failure'.
To obtain an initial TGT, run the $ORACLE_HOME/bin/okinit utility on the Oracle client or kinit
for general situation.
For example:
$ kinit test
Password for test@MYREALM.VM.ORACLE.COM:

Note: the database password entered by user test is the same as that specified when user test was
created in Active Directory.

To display the list of service tickets obtained by the user, run the $ORACLE_HOME/bin/oklist or
klist utility on the Oracle client.
For example:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500220
Default principal: test@MYREALM.VM.ORACLE.COM

Valid starting Expires Service principal

07/17/12 06:11:52 07/17/12 16:10:54
krbtgt/MYREALM.VM.ORACLE.COM@MYREALM.VM.ORACLE.COM
renew until 07/18/12 06:11:52
Kerberos 4 ticket cache: /tmp/tkt500220
klist: You have no tickets cached

20
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

File krb5cc_ (credential cache), that is solely readable by the user, is created in /tmp directory.
For example:
$ ls -l /tmp/krb5cc_500220
-rw------- 1 user dba 1129 Jul 17 06:12 /tmp/krb5cc_500220

2) Run the following sample JDBC program. This program connects to the database using the
credentials in the File Cache

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Properties;
import oracle.jdbc.OracleConnection;
import oracle.jdbc.OracleDriver;
import oracle.net.ano.AnoServices;

public class TestOra3

{
public TestOra3() { }

public void doit () throws SQLException

Properties props = new Properties();

props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_
SERVICES, "( " + AnoServices.AUTHENTICATION_KERBEROS5 + " )");
props.setProperty(
OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_KRB5_MUTUAL,
"true");

System.setProperty("java.security.krb5.conf","/etc/krb5.conf’);
props.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_AUTHENTICATION_
KRB5_CC_NAME, "/tmp/krb5cc_500220");

String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)"+

"(PORT=1521)(HOST=mydb.us.oracle.com))"+
"(CONNECT_DATA=(SERVICE_NAME=myservice.us.oracle.com)(SERVER=dedicated)))";
DriverManager.registerDriver(new OracleDriver());
Connection conn = DriverManager.getConnection(url,props);
String sql = "select {fn user()} from dual" ;
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);

21
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

while (rs.next())
System.out.println("results: " + rs.getString(1));
conn.close();

public static void main(String[] args)

{
TestOra3 test = new TestOra3 ();
try
{
test.doit();
System.out.println(“Done”);
}
catch (SQLException e)
{
e.printStackTrace();
}
}

Output:
results: TEST@MYREALM.VM.ORACLE.COM
Done.

Note:
We have discussed kerberos authentication in a simple single realm environment without credential
delegation. The Oracle JDBC driver is also capable of handling kerberos authentication in more
complex environments.

- JDBC driver 11g Release 2 has support for forwardable tickets, which allows tickets obtained
on one system to be used in another system. In the case of a file ticket cache, forwardable
tickets can be enabled by setting forwardable=true in krb5.conf file. In the case of a windows
native ticket cache, forwardable tickets are controlled by the property “Account is sensitive
and cannot be delegated” for the User Account in Active Directory.

22
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

- JDBC driver 11g Release 2 also allows cross realm authentication across multiple realms. For
example, users in one realm may need to access services available in another realm. In java,
cross realm authentication can be enabled by specifying all required target realms in the
[domain_realms] section of krb5.conf.

Windows 2008 Active Directory

Windows 2008 Active Directory supports the following encryption types by default:

• AES256-CTS-HMAC-SHA1-96
• AES128-CTS-HMAC-SHA1-96
• RC4-HMAC

JDK 1.5 only supports DES encryption types. Hence JDK 1.5 based applications can only work with
Windows 2008 Active Directory by changing the default settings to allow DES encryption types as
described in the below article:
http://support.microsoft.com/kb/977321
JDK 1.6 supports the new encryption types provided by Windows 2008 Active Directory, but has a
128 bit key size restriction. This implies that 256-bit AES encryption cannot be used with the default
JDK 1.6. This restriction can be overcome by installing Java Cryptography Extension (JCE) Unlimited
Strength Jurisdiction Policy Files 6. This can be downloaded from
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
The zip file contains a couple of policy jars, which you need to copy over the top of the ones already in
the lib/security directory of your JRE.
JDBC kerberos authentication with Windows 2008 Active Directory is very similar to Windows 2003.
The following changes are required to accommodate the difference in the encryption types.

1) For JDK 1.5 based java applications, Windows 2008 default settings have to be modified to support
DES encryption types as discussed above.
2) For JDK 1.6 based applications, the keytab has to generated to allow all supported encryption types
as below:
ktpass.exe -princ oracle/mydb.uk.oracle.com@MYREALM.LOCAL - mapuser mydbbox -crypto all -
pass password -out c:\keytab

23
 Kerberos Authentication With Oracle JDBC Thin Driver And Microsoft Active Directory

3) For JDK 1.6 based applications, Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files have to be installed as discussed above.

Conclusion

Authentication is critical for the security of computer systems. Traditional password based
authentication methods are not suitable or may not be very ideal for many computer
systems. The use of strong authentication methods that do not disclose passwords is
imperative. The Kerberos authentication system is well suited for authentication of users
in such environments.

The Oracle JDBC Thin Driver can be effectively configured to use kerberos
authentication to connect to the Oracle Database, thereby providing a good level of
network security for your java applications.

References
https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=331252.1

24
Kerberos Authentication With Oracle JDBC Thin
Driver And Microsoft Active Directory
January 2013
Author: Kavitha Prakash
Contributing Authors: Jean de Lavarene
Zhenhua Ren Swati Rao
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle Corporation
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
World Headquarters
500 Oracle Parkway
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
Redwood Shores, CA 94065
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
U.S.A.
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0612
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200

oracle.com