This chapter describes authentication of Oracle Database users with Windows operating systems.
This chapter contains these topics:
Oracle Database can use Windows user login credentials to authenticate database users. Benefits include:
Enabling users to connect to Oracle Database without supplying a username or password
Centralizing Oracle Database user authentication and role authorization information in Windows, which frees Oracle Database from storing or managing user passwords or role information
The Windows native authentication adapter (automatically installed with Oracle Net Services) enables database user authentication through Windows. This enables client computers to make secure connections to Oracle Database on a Windows server. The server then permits the user to perform database actions on the server.
Note:
Current user database links are not supported with Windows native authentication.
For information on Secure Sockets Layer (SSL) protocol and Oracle Internet Directory, see Oracle Database Security Guide and Oracle Internet Directory Administrator's Guide.
The Windows native authentication adapter works with Windows authentication protocols to enable access to Oracle Database.
Starting with Oracle Database 12c Release 1 (12.1), the NTS authentication adapter no longer supports the use of NTLM to authenticate Windows domain users. Thus the NTS cannot be used to authenticate users in old Windows NT domains or domains with old Windows NT domain controllers. However, local connections and Oracle Database services running as a Windows Local User continues to be authenticated using NTLM.
If you use the Windows Local User Account as the Oracle Home User for an Oracle Database home, then Windows Native Authentication (NTS) cannot be used for authenticating Windows domain users or users from remote computers.
Client server must not specify an authentication protocol while trying to connect to Oracle Database. Instead, Oracle Database determines the protocol to use which is completely transparent to the user. The only Oracle Database requirement is to ensure that the parameter SQLNET.AUTHENTICATION_SERVICES in client and database server contains nts in the following file:
ORACLE_HOME\network\admin\sqlnet.ora
This is the default setting for both client computer and database server after installation.
In a typical installation, Oracle Database network includes client computers and database servers, and computers on this network may use different Oracle Database software releases on different domains of Windows operating systems. This combination of different releases means that the authentication protocol being used can vary.
See Also:
Your operating system documentation for more information on authentication protocolThis section describes how user login credentials are authenticated and database roles are authorized in Windows domains. User authentication and role authorization are defined in Table 10-1.
Table 10-1 User Authentication and Role Authorization Defined
| Feature | Description | More Information |
|---|---|---|
|
User authentication |
Process by which the database uses the user's Windows login credentials to authenticate the user. |
|
|
Role authorization |
Process of granting an assigned set of roles to authenticated users. |
Oracle Database supports user authentication and role authorization in Windows domains. Table 10-2 describes these basic features.
Table 10-2 Basic Features of User Authentication and Role Authorization
| Feature | Description |
|---|---|
|
Authentication of external users |
Users are authenticated by the database using the user's Windows login credentials enabling them to access Oracle Database without being prompted for additional login credentials. |
|
Authorization of external roles |
Roles are authorized using Windows local groups. Once an external role is created, you can grant or revoke that role to a database user. Initialization parameter |
Table 10-3 describes user authentication and role authorization methods to use based on your Oracle Database environment:
Table 10-3 User Authentication and Role Authorization Methods
| Method | Database Environment |
|---|---|
|
Enterprise users and roles |
You have many users connecting to multiple databases. Enterprise users have the same identity across multiple databases. Enterprise users require use of a directory server. Use enterprise roles in environments where enterprise users assigned to these roles are located in many geographic regions and must access multiple databases. Each enterprise role can be assigned to multiple enterprise user in the directory. If you do not use enterprise roles, then you must assign database roles manually to each database user. Enterprise roles require use of a directory server. |
|
External users and roles |
You have a smaller number of users accessing a limited number of databases. External users must be created individually in each database and do not require use of a directory server. External roles must also be created individually in each database, and do not require use of a directory server. External roles are authorized using group membership of the users in local groups on the system. |
See Also:
Oracle Database Enterprise User Security Administrator's Guide for more information on Enterprise users and rolesWhen you install Oracle Database, a special Windows local group called ORA_DBA is created (if it does not already exist from an earlier Oracle Database installation) and your Windows user name is automatically added to it. Members of local group ORA_DBA automatically receive the SYSDBA privilege. Starting with Oracle Database 12c Release 1 (12.1), ORA_DBA group is also created for each Oracle home called ORA_HOMENAME_DBA group. This group is automatically populated with the Oracle Home User for the Oracle home.
Note:
If you use a domain account for database administration, then that domain account must be granted local administrative privileges and ORA_DBA membership explicitly. It is not sufficient for the domain account to inherit these memberships from another group. You must ensure that the user performing the installation is in the same domain as this domain account. If not, it results in an NTS authentication failure.Membership in ORA_DBA enables you to:
Connect to local Oracle Database servers without a password with the command
SQL> CONNECT / AS SYSDBA
Connect to remote Oracle Database servers without a password with the command
SQL> CONNECT /@net_service_name AS SYSDBA
where net_service_name is the net service name of the remote Oracle Database server
Perform database administration procedures such as starting and shutting down local databases
Add additional Windows users to ORA_DBA, enabling them to have the SYSDBA privilege