Learn how to a build a cloud-first strategyRegister Now


What problems will I encounter when switching to externally identified users

Posted on 2011-05-09
Medium Priority
Last Modified: 2012-05-11
I currently have a Oracle 10.2 database with Oracle Named Users. I am thinking of implementing a SSO solution using Oracle advanced security and an Active Directory. I will be slowly migrating a number of custom developed apps to this new architecture and will be removing existing login screens.

What problems will I run into when switching to externally identified/authenticated users?
Question by:zstafa
  • 2
  • 2
LVL 78

Accepted Solution

slightwv (䄆 Netminder) earned 2000 total points
ID: 35724577
The main one:  Your database is only as secure as the OS.

Expert Comment

ID: 35727327

slightwv's answer is the correct one. You allow into your db anybody who managed to get OS authentication (who logged into the OS).

Aditionnally, if you go for that external authentication, make sure (at least) that your REMOTE_OS_AUTHENT is set to false. Otherwise you have no more security on logging into your db.


Expert Comment

ID: 35727344
... In other words, if you go for any external directory authentication solution, make sure there's only the local server which will execute that autentication.

Author Comment

ID: 35732821
I will be using Xenapp as the portal, so the user will be authenticated using a smartcard and PIN at that level. My question was more specific to the custom apps,  and if they would have any problems when the Oracle named users will be changed to be externally identified. I will use OAS to get the identity of the user from the oracle client and an ActivClient or Oracle wallet. Thanks
LVL 78

Assisted Solution

by:slightwv (䄆 Netminder)
slightwv (䄆 Netminder) earned 2000 total points
ID: 35733434
I'm far from an expert on all the middle pieces but even Oracle is migrating to the Wallet so take that for what it's worth.

It's kind of hard to sell something they can't back up and trust.

If you are using Oracle's Wallet you should be fine.  With the caveat: even a good tool can be used incorrectly.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question