I’ve been using the old good Radius authentication protocol to authenticate database accounts (created for humans) with Active Directory credentials. It may sound strange use case, specially since Oracle also advertises its own Active Directory integration (Centrally Managed Users) and also there is Kerberos. I’ve had the following problems with them:<\/p>\n\n\n\n
Radius on the other hand – Windows domain controllers have Radius server built in and it is also very easy to deploy at large scale and maintain on Oracle database side.<\/p>\n\n\n\n
First add the following to database sqlnet.ora<\/strong>. File \/u01\/app\/oracle\/radius.key<\/strong> is a simple text file containing just the Radius secret. 10.0.0.1<\/strong> and 10.0.0.2<\/strong> are my Radius servers running on Windows, both using port 1812<\/strong>.<\/p>\n\n\n\n In the database itself set parameter os_authent_prefix to empty string:<\/p>\n\n\n\n And create the database users IDENTIFIED EXTERNALLY, and database username must match WInodws AD username.<\/p>\n\n\n\n The bad thing with Radius authenticated users is that the database client must also support Radius. Oracle thick driver supports it just fine, also JDBC thin driver.<\/p>\n\n\n\n When using Oracle thick client (Instatnt client)<\/strong>, turn on Radius authentication by adding it to sqlnet.ora:<\/p>\n\n\n\n After that you can use this client to log into the database using both database authenticated users and Radius authenticated users.<\/p>\n\n\n\n JDBC thin driver<\/strong> is a little bit trickier (tested using 21c JDBC driver)<\/p>\n\n\n\n To use Radius add the following Java VM option – but the problem with that is that you cannot use database authenticated users after turning on this option.<\/p>\n\n\n\n If you want to use it with SQL Developer, add the following to product.conf file<\/p>\n\n\n\n As mentioned earlier this would disable database authenticated accounts, so in case of SQL Developer changing product.conf is not desirable.<\/p>\n\n\n\n Since 19c JDBC thin driver, it is also possible to change Java properties within the connection string using EasyConnect syntax:<\/p>\n\n\n\n One bug that I discovered in JDBC thin driver support for Radius (and Oracle is still working on it) – if you use Radius together with TCPS and database server has also enabled Oracle Native Encryption – you will get the following error from JDBC driver IO Error: Checksum fail<\/strong><\/p>\n\n\n\n This is rather strange error, since when using TCPS – Oracle Native Encryption should be turned off automatically, but this error comes from Native encryption checksumming. To get around it, have to disable Native Encryption checksumming from the client side – which can also be done from inside the connection string.<\/p>\n\n\n\n I’ve been using the old good Radius authentication protocol to authenticate database accounts (created for humans) with Active Directory credentials. It may sound strange use case, specially since Oracle also advertises its own Active Directory integration (Centrally Managed Users) and also there is Kerberos. I’ve had the following problems with them: Radius on the other […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[4,63],"class_list":["post-643","post","type-post","status-publish","format-standard","hentry","category-blog-entry","tag-oracle","tag-security"],"_links":{"self":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/comments?post=643"}],"version-history":[{"count":1,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/643\/revisions"}],"predecessor-version":[{"id":644,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/posts\/643\/revisions\/644"}],"wp:attachment":[{"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/media?parent=643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/categories?post=643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ilmarkerm.eu\/blog\/wp-json\/wp\/v2\/tags?post=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}# Radius authentication settings\nSQLNET.RADIUS_AUTHENTICATION_PORT = 1812\nSQLNET.RADIUS_SECRET=\/u01\/app\/oracle\/radius.key\nSQLNET.RADIUS_AUTHENTICATION = 10.0.0.1\nSQLNET.RADIUS_ALTERNATE = 10.0.0.2<\/code><\/pre>\n\n\n\nalter system set os_authent_prefix='' scope=spfile;<\/code><\/pre>\n\n\n\nCREATE USER ilmker IDENTIFIED EXTERNALLY;<\/code><\/pre>\n\n\n\nConfigure the client<\/h2>\n\n\n\n
$ cat ORACLE_CLIENT_HOME\/network\/admin\/sqlnet.ora\n\nSQLNET.AUTHENTICATION_SERVICES=(RADIUS)<\/code><\/pre>\n\n\n\n-Doracle.net.authentication_services='(RADIUS)'<\/code><\/pre>\n\n\n\nAddVMOption -Doracle.net.authentication_services='(RADIUS)'<\/code><\/pre>\n\n\n\ntcp:\/\/oracle.db.example.com:1521\/application_service.domain?oracle.net.authentication_services='(RADIUS)'<\/code><\/pre>\n\n\n\ntcps:\/\/oracle.db.example.com:1523\/application_service.domain?oracle.net.authentication_services='(RADIUS)'&oracle.net.crypto_checksum_client=REJECTED<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"