How Enterprise Users Are Authenticated

Enterprise User Security supports the following authentication methods:

  • Password-based authentication

  • SSL-based authentication

  • Kerberos-based authentication

Each authentication method has advantages and disadvantages. Table 1-1 summarizes the criteria for selecting which authentication method is best for your Enterprise User Security implementation.


Table 1-1 Enterprise User Security Authentication: Selection Criteria

Password Authentication SSL Authentication Kerberos Authentication

Password-based authentication

Provides strong authentication over SSL

Provides strong authentication by using Kerberos, version 5 tickets

Provides centralized user and password management

Provides centralized user and PKI credential/wallet management

Provides centralized user and Kerberos credential management

Separate authentications required for each database connection

Supports single sign-on (SSO) using SSL

Supports SSO using Kerberos, version 5 encrypted tickets and authenticators, and authentication forwarding

Retains users' current authentication methods

Initial configuration maybe more difficult because PKI credentials must be generated for all users. (Dependent on administrators' PKI knowledge)

Initial configuration maybe more difficult because Kerberos must be installed and configured to authenticate database users

User identity can be used in two-tier or multitier applications. OracleAS Single Sign-On users and enterprise users use the same stored password

Compatible with either a two-tier or multitier environment

Compatible with either a two-tier or multitier environment

Supports Oracle Release 7.3 and later clients with Oracle Database 10g and later

Supports Oracle8i and later clients with Oracle Database 10g and later

Supports Oracle Database 10g and later clients with Oracle Database 10g and later

Supports current user database links only if the connection between databases is over SSL

Supports current user database links

Supports current user database links only if the connection between databases is over SSL

Can use third-party directories to store users if synchronized with Oracle Internet Directory1

Can use third-party directories to store users if synchronized with Oracle Internet Directory2

Can use third-party directories to store users if synchronized with Oracle Internet Directory3


Note:

Enterprise User Security supports three-tier environments. Oracle Database proxy authentication features enable

(i) proxy of user names and passwords through multiple tiers, and

(ii) proxy of X.509 certificates and distinguished names through multiple tiers.

See Also:

1

If third-party directory is Microsoft Active Directory, then when user passwords change, they must be changed in both Active Directory and in Oracle Internet Directory.

2

Must modify the Directory Integration Services agent to synchronize user PKCS #12 attributes.

3

If third-party directory is Microsoft Active Directory, then login to Windows gives you single sign-on login to databases. However, you must modify the Directory Integration Services agent for other third-party directories to synchronize the KrbPrincipalName attribute. This synchronization is automatic for Microsoft Active Directory.