Security :: Windows OS Authentication Fails ORA-1017 After Renaming AD User
Jul 17, 2012
When a user is renamed in Active Directory, they can no longer connect to the Oracle DB thru OS authentication. There is no OID/DIP integration.
sqlnet.ora
SQLNET.AUTHENTICATION_SERVICES = (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME)
NAMES.DEFAULT_DOMAIN = cal.com.br
create user "CALRENATOH" IDENTIFIED EXTERNALLY
GRANT CREATE SESSION TO "CALRENATOH"
AD User CALRENATOH can connect to DB as 'sqlplus /'
But after renaming AD User CALRENATOH to CALRENATOH1 and dropping DB user CALRENATOH and creating DB user CALRENATOH1 drop user "CALRENATOH"; create user "CALRENATOH1" IDENTIFIED EXTERNALLY;
Now OS authentication 'sqlplus /' fails 'ORA-01017: invalid username/password; logon denied'..Once I recreate the DB user with old AD user name 'CALRENATOH', OS authentication succeeds. create user "CALRENATOH" IDENTIFIED EXTERNALLY;
C:Windowssystem32>set username
USERNAME=RENATOH1
C:Windowssystem32>sqlplus /@rmlab001
SQL*Plus: Release 11.1.0.6.0 - Production on Tue Jul 3 15:16:46 2012
Copyright (c) 1982, 2007, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning and OLAP options
Why the Database is still looking for old AD user name? Does Oracle cache information about OS authenticated users?
View 0 Replies
ADVERTISEMENT
Jul 15, 2013
I have been using oracle based database security but company now wants to handle with windows authentication.I have windows os 2008 R2 and oracle 11.2.0.3.
I also have set up the SQLNET.AUTHENTICATION_SERVICES= (NTS).I created user with create user "domainusername" identified Externally! but now how can i connection from application to database!
View 1 Replies
View Related
Jan 24, 2013
We like to integrate the window LDAP to a new oracle database for user authentication. For example, this is a new test database and we don't have any users created.Now we like to figure out if we created the users with same id as in LDAP userid, how they can be authenticated externally by LDAP. I read and heard some info on OID provided by oracle but need some more step by step info to experiment.
View 3 Replies
View Related
Jun 16, 2013
I know how to use database links in various forms, but I've been trying to think through how the authentication works for a connected user link in 11g. If I create the link like this,create public database link using 'orcl';then any user can use the link, provided they have an identical username/password in the two databases. With pre-11g passwords, it was understandable: the password was salted with the username, so the hash of the password would be the same in both databases, and I assumed that the logon through the link used some sort of IDENTIFIED BY VALUES mechanism. But in 11g, the salt will different in the two databases. So the hash will be different. And of course Oracle never stores the actual password. So I don't see how the authentication works.
View 4 Replies
View Related
Feb 1, 2013
Windows 7
Oracle XE 11gR2
From Windows, I can successfully create and connect with a system data source using an user Oracle account.But when doing then same configuration process I can not create or connect using the 'SYS' account.
i get the error 'ORA-2009: connection as SYS should be as SYSDBA or SYSOPER'.
What is the solution to creating an ODBC DSN for the user 'SYS'?
View 6 Replies
View Related
Mar 11, 2011
We are trying to implement the following security to our database.
As of now, the access rights are same for all the windows users logging into the Oracle application with the same Oracle user Id.
But now, we want to improve our security by granting different levels of rights to the users based on their Network Id even though they use the same Oracle User Id to log into the application.
We are not looking for the users to be identified externally.
(CREATE USER "OPS$ORACLE-BASE.COMTIM_HALL" IDENTIFIED EXTERNALLY;
GRANT CONNECT TO "OPS$ORACLE-BASE.COMTIM_HALL";
)
View 3 Replies
View Related
Apr 4, 2013
Is there a way to have separate wallets for each windows user? Well, I have found a way, but does not seem to work always properly and that is with %USERNAME% environment variable.
This is how our customer want's to have - so separate wallet for each windows user, how to accomplish this without using %USERNAME%?
View 2 Replies
View Related
Sep 16, 2011
How can i use OS authentication to login db?
SQL> connect / as sysdba
ERROR:
ORA-01031: insufficient privileges
sqlnet.ora text:
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
#SQLNET.AUTHENTICATION_SERVICES = (NTS)
SQLNET.INBOUND_CONNECT_TIMEOUT=1
View 18 Replies
View Related
Jan 5, 2013
What is happening here:
c:usersjohnhome>
c:usersjohnhome>orapwd file=%ORACLE_HOME%databasePWDorcl.ora password=oracle
c:usersjohnhome>sqlplus sys/garbage@orcl as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Sat Jan 5 18:25:06 2013
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
orcl> sho user
USER is "SYS"
orcl> select sys_context('userenv','ip_address') from dual;
SYS_CONTEXT('USERENV','IP_ADDRESS')
---------------------------------------------------------------------------------------------------
127.0.0.1
orcl>Why can I get a sys login, when I am connecting through the listener and giving an incorrect password? The listening address is a loopback address, is Oracle clever enough to realize that I am in fact logged on to the server as a member of the OSDBA group? I didn't think that information was passed through SQL*Net.
View 3 Replies
View Related
Mar 28, 2013
I'd like to have my 11g database authenticate users against an OpenLDAP service. We'd still create accounts in the database, and do authorization within the database, but I'd just want to the user's passwords authenticated externally, against the OpenLDAP service. Is this possible? My searching through these forums and Google seems to indicate that you can do it if you run an Oracle Internet Directory (OID) service. I do not want to have to install and maintain an Oracle Internet Directory service. I'd like to do it without it.
I have a working PL/SQL function (below) that can authenticate a passed in username & password against our OpenLDAP directory. Is there any way for me to have Oracle call this function for the database user authentication? Or is there any other way for me to get the Oracle database to directly authenticate against OpenLDAP without having to run OID?
create or replace function ldap_authenticate(username varchar2, password varchar2)
return boolean is
begin
begin
if dbms_ldap.success = dbms_ldap.simple_bind_s(
[code]........
View 1 Replies
View Related
Jul 25, 2011
I have oracle 10g up and running on Solaris 10, from windows I would like to connect to sql plus through windows authentication, for that I have already made sure that remote_auth = true and have created user in oracle with OPS$. But still I cannot connect.
I have the same setup but with oracle on windows server, the os authentication from windows clients works just fine.
does oracle 10g on solaris 10 supports windows os authentication?
View 4 Replies
View Related
Feb 18, 2013
I have oracle database server set with Windows NT authentication. How can I get rid of this kind of authentication as this is holding up additional Windows Domain with its own PDS and so on. Or is it possible to move Oracle Database server to a different Domain and authentication to be coming from new domain?
View 4 Replies
View Related
Nov 21, 2010
I have set password on the listener and set the local_os_authentication parameter to "OFF", whenever i start/stop listener through "lsnrctl" ,it works fine and asks for password but i can stop/start listener through windows services without giving any password.
what is the use of setting password on listener if any body can start/stop it through services utility in windows xp sp3.
View 5 Replies
View Related
Jul 16, 2013
Can application connect with windows authentication to oracle 11.2.0.3 database? if so then how can i set it up!
View 3 Replies
View Related
Nov 16, 2010
Lost Windows password? Forgot Windows password? Your PC was hacked? Therefore, it is a basic step for every Windows users to enhance the security of Windows password. In the networks, it is found that a number of user's passwords are easy to guess. Only the smallest groups are the most security conscious and select passwords that are mixed lowercase and uppercase letters, numbers and punctuation to create cryptic passwords. Adopting strong password is one of the most effective ways to ensure system security. Here are several methods for you to enhance the security of your passwords in Windows 7/2000/XP/Vista and so on. You'd better remember the methods below unless you want to reset Windows password from time to time.
1. Is random password a great password?
A common myth is that totally random passwords like Ht3&e#L%5d@$B are the best passwords. This is not true. While they may be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm. It is easy to create passwords that are strong but much easier to remember by using a few simple techniques. For example, consider the password "Luck-73@Better?". This password utilizes uppercase and lowercase letters, two numbers, and three symbols. The password is 15 characters long and can be memorized with very little effort. Moreover, this password can be typed very fast. The portion"Luck" and "Better" alternate between left and right-handed keys on the keyboard, improving speed, decreasing typos, and decreasing the chances of someone being able to discover your password by watching you.
2. Create the long Windows password
Although a password may eventually be discovered through some means, it is possible to create a password that cannot be cracked in any reasonable time. If a password is long enough, it will take so long or require so much processing power to crack it. That is essentially the same as being unbreakable (at least for most hackers).
3. Create the Windows password constantly?
This may be good advice for some high-risk passwords, but it is not the best policy for every user. It is frustrating for a user to have to constantly think of and remember new passwords every 30 days. It may be better to focus on stronger passwords and better user awareness rather than limiting password age. A more realistic time for the common user may be 90-120 days.
4. Write down Windows password in a proper place
Sometimes it is necessary for some users losing and forgetting complex passwords easily to write down them somewhere proper. However, it is important to educate users on how to write down passwords properly. Obviously, a sticky note on the monitor is not a good idea, but storing passwords in a safe or even a locked cabinet may be sufficient.
5. 14 characters is the optimal password length
Each character that you add to your password increases the protection. Your passwords should be 8 or more characters in length; 14 characters or longer is the Optimal Password Length. Many systems also support use of the space bar in passwords, so you can create a phrase made of many words. It is not easier to forget and lose, as well as longer than a simple password, and harder to guess.
6. Try not to use the same Windows password for all accounts
Some users always make the same passwords for every account to make it easy to remember. In that case, when any one of them lost, your other information protected by that password will be in danger as well. It is serious to use different passwords for different systems and accounts.
7. Do not use some common words that other users maybe guess
Most of users prefer to use some common words to remember easily, for example, login name, birth date, driver's license, passport number, pets' name and other words contained their personal information someone knows. In that case, your Windows system will not be safe anymore. Moreover, do remember not to use some words spelled backwards, abbreviations, sequences or repeated characters and adjacent letters, such as, asdfgh, 123456, 888888, abcdef and so on.
You can smoothly use your Windows now because the strong and powerful Windows password is created successfully, Certainly, I believe that many users lost Windows password and forgot Windows password, then you need have to reset Windows password or recover Windows password. It is a big problem for plenty of Windows users that how to reset Windows password. how to recover Windows password and they are puzzled by resetting windows password, for instance, reset Windows 7 password, recover password Windows XP, remove Windows Vista password and other operating systems after they create the password with complex letters, numbers and symbols. However, it is unnecessary to worry and it is said that things will eventually sort themselves out. There are many ways to reset forgotten Windows password, including use windows password reset disk and windows password reset software, like Super Windows Password Reset, a professional windows password reset software which could enable you to logon to Windows smoothly without reinstalling system.
View 1 Replies
View Related
Sep 27, 2011
I just create a user and tried to log in but it gives the following error, why?
SQL*Plus: Release 10.1.0.4.2 - Production on Tue Sep 27 10:57:55 2011
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
SQL> create user user1 identified by user1;
User created.
SQL> conn user1
Enter password: *****
ERROR:
ORA-12560: TNS:protocol adapter error
Warning: You are no longer connected to ORACLE.
View 26 Replies
View Related
Jun 15, 2013
I know how to use database links in various forms, but I've been trying to think through how the authentication works for a connected user link in 11g. If I create the link like this,
create public database link using 'orcl';
then any user can use the link, provided they have an identical username/password in the two databases. With pre-11g passwords, it was understandable: the password was salted with the username, so the hash of the password would be the same in both databases, and I assumed that the logon through the link used some sort of IDENTIFIED BY VALUES mechanism. But in 11g, the salt will different in the two databases. So the hash will be different. And of course Oracle never stores the actual password. So I don't see how the authentication works.
View 1 Replies
View Related
Apr 15, 2012
I want to install Oracle EE 11gR2 on my Windows 7 Professional 64-bit laptop. Installed memory is 8GB.I need to install 32-bit server since Oracle Warehouse Builder will not run on a 64-bit o/s. Further, I use Toad 9.7.2 which will only recognise client 32-bit.
I had a few failed attempts, especially when the database was being created with the ORA-12560: TNS:protocol adapter error,
So here's what I did:
Changed C:WindowsSystem32driversetchosts so that it contains two lines 127.0.0.1 localhost & ::1 localhost
Changed properties of setup.exe in the installation directory to be Windows XP SP2 compatible and run as administrator
Selected "install database software only" (so I could figure out at what step the installation fails)
Selected "single instance"
Selected "Enterprise Edition"
Selected oracle base "c:app" (instead of default location c:appd_seng)
Copy of files was completed successfully, log file was created in c:program files(x86)oracleinventorylogs & registry entries were added to "HKEY_LOCAL_MACHINESOFTWAREWow6432NodeORACLE" (with keys KEY_OraDb11g_home1, ODP.NET & OracleMTSRecoveryService), and the following services were created:
OracleMTSRecoveryService: Started/Automatic
OracleOraDb11g_home1ClrAgent: Not started/Manual
OracleRemExecService: Started/Disabled
There are no listener.ora & tnsnames.ora yet. Sqlnet.ora is created with the line SQLNET.AUTHENTICATION_SERVICES = (NTS)
Now I went to Start, All Programs, Oracle - OraDb11g_home1, Configuration and Migration Tools, right clicked on "Net Configuration Assistant" and changed the properties to be Windows XP SP2 compatible and run as administrator and ran it. I selected "Listener Configuration", added a listener called LISTENER, TCP protocol, port 1521 and finished. A service called "OracleOraDb11g_home1TNSListener" was created and started in automatic mode. The PATH was updated and listener.ora was created with the lines:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = CLRExtProc)
(ORACLE_HOME = C:appproduct11.2.0dbhome_1)
[code]...
Tnsnames.ora is also creaed with the contents:
ORACLR_CONNECTION_DATA =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
)
(CONNECT_DATA =
(SID = CLRExtProc)
(PRESENTATION = RO)
At the command prompt, lsnrctl.status shows:
LSNRCTL for 32-bit Windows: Version 11.2.0.1.0 - Production on 15-APR-2012 12:42
:19
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DSG-HP6555b)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for 32-bit Windows: Version 11.2.0.1.0 - Produ
ction
Start Date 15-APR-2012 12:37:54
[code]...
At the command prompt, lsnrctl.services shows: LSNRCTL for 32-bit Windows: Version 11.2.0.1.0 - Production on 15-APR-2012 12:43:15
Copyright (c) 1991, 2010, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=DSG-HP6555b)(PORT=1521))
)
Services Summary...
Service "CLRExtProc" has 1 instance(s).
Instance "CLRExtProc", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
The command completed successfully Now I went to start, all programs, Oracle - OraDb11g_home1, Configuration and Migration Tools, right clicked on "Database Configuration Assistant" and changed the properties to be Windows XP SP2 compatible and run as administrator and ran it.
I chose to create a databaseGeneral purpose Global database name ORCL SID ORCL Chose "Configure Enterprise Manager" & "Configure Database Control for local management" and disabled "Automatic maintenance tasks" Used the same password for all accounts
Selected storage type "File System" & "Use Database File Locations from Template" Unchecked Flash Recovery & Archiving Selected "Sample Schemas", "Typical" memory size (1228MB), "Use Automatic Memory Management" Left sizing/character sets/connection mode as default, and Selected "Generate Database Creation Scripts" in C:appadminORCLscripts (if I choose to Create Database, it fails with TNS Protocol Adapter Error).
I now open ORCL.bat in an editor, go to command prompt, create the directories as per the file, set ORACLE_SID=ORCL & path.
Running C:appproduct11.2.0dbhome_1inoradim.exe -new -sid ORCL -startmode manual -spfile gives a message "instance created" & services "OracleJobSchedulerORCL", "OracleVssWriterORCL" (started) & "OracleServiceORCL" (started) are created.
The next step C:appproduct11.2.0dbhome_1inoradim.exe -edit -sid ORCL -startmode auto -srvcstart system give an error "Unable to start service, OS Error 1056" (probably implies services already running), nothing is present in the windows alert logs about this. If I stop the service OracleVssWriterORCL, then this command completes, although no messages are returned.
The next step in the batch file starts sqplus /nolog and calls ORCL.sql.
ORCL.sql accepts passwords for sys, system, sysman & dbsnmp. It then executes host C:appproduct11.2.0dbhome_1inorapwd.exe file=C:appproduct11.2.0dbhome_1databasePWDORCL.ora force=y, which prompts me for the password for sys.
ORCL.sql then calls CloneRmanRestore.sql, which then tries to run connect "SYS"/"&&sysPassword" as SYSDBA
This is when I get the error ORA-12560: TNS:protocol adapter error, which has been haunting me for days.
My gut feel is that the database creation step at sqlplus is unable to recognise the listener...or probably it does not recognise the modified registry location (with Wow6432Node), the file oracle.key in C:appproduct11.2.0dbhome_1BIN shows the string SOFTWAREORACLEKEY_OraDb11g_home1.
I then changed oracle.key to point to SOFTWAREWow6432NodeORACLEKEY_OraDb11g_home1, restarted the listener and ORCL service, but connecting as sys returns the same error.
View 30 Replies
View Related
Jul 27, 2010
Provide me the script which would track all the users security violations like ... say for example i want to find which users logged in and what he did in database prospective.
View 1 Replies
View Related
Dec 21, 2010
We have the database user called c88888 and is locked yesterday. I came to this with the following query.
select * from dba_users where username like 'C88888';
Due to invalid password the user was locked. Can we track who hit the database with the wrong password?
View 5 Replies
View Related
Sep 12, 2011
User A contains tables, views, LOB's, types, procedures, triggers, sequences, indexes, synonyms. User B wants to have read-only privilege on the objects of User A.
I can provide select on privilege on tables and views. How about providing read-only privileges to other objects?
View 1 Replies
View Related
Aug 23, 2011
I have enabled Auditing in my oracle Database but I am not able to see any database for the operations of sys user or any other user in my "SYS.AUD$" and "SYS.FGA_LOG$" tables.
Value for the parameter "AUDIT_TRAIL" is set to "db,extended".
I am working as "SYS" user and I have shutdown and again startup the database but neither there was any information in both the tables nor I can see any files at the destination specified by "AUDIT_FILE_DEST".
View 10 Replies
View Related
May 3, 2011
I am trying to setup incremental backup on my windows OS based server using RMAN command in batch file. When I use batch file in OS scheduler it is working fine, when I am calling same batch file from my LOCAL desktop PC it throws errors as below.
D:> \3.193.211.19sgdba
mankp_acressit.bat
D:>rman catalog rman/******@acressit target / cmd
file=E:sgdba
mankp_arch.rcv log E:sgdba
mansit_arch_rman_backup.log
RMAN-00557: could not open MSGLOG "E:sgdba
[code]....
Both single and double quotes (' or ") are accepted for a quoted-string.
Quotes are not required unless the string contains embedded white-space.
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-00556: could not open CMDFILE "E:sgdba
mankp_arch.rcv"
[code]....
* on my DB server I am login using my administrator account, on my PC I dont have admin account.
* I have checked remote execution using local user as well as admin user.
* I have checked the permission and my local ID & EVERYONE has all permission in that folder.
View 2 Replies
View Related
May 6, 2011
The following link states
Quote:
SESSIONS_PER_USER
Each instance maintains its own SESSIONS_PER_USER count. If SESSIONS_PER_USER is set to 1 for a user, the user can log on to the database more than once as long as each connection is from a different instance.
[URL].....
Of course the following is not working even when resource_limit is TRUE
ALTER PROFILE DEFAULT LIMIT SESSIONS_PER_USER 2;
How can I restrict a user to have limited sessions say 2 sessions across 4 node cluster? Presently I am checking the sessions logged in using sql+ and no connection pooling of front end etc. is involved.
View 5 Replies
View Related
Nov 11, 2011
i am using a oracle server. And all my users password has been expired, is there any way to recover those users without failing my data.
View 19 Replies
View Related
Aug 23, 2010
I am using Oracle Internet Directory to store user information and OID delegation administratibe services for user entry. An an admin I created a privileges group called admins. Users belonging to this group can create user, delete users, edit users, and edit groups. I created 'User A' and assigned him to the group. Now 'User A' creates 'User B' and assignes him to the group. However when 'User B' creates 'User C' he gets the error [LDAP: error code 50 - Insufficient Access Rights].
This happens even though 'User B' belongs to the admin group which has the privilege to create users.
View 1 Replies
View Related
Oct 17, 2010
The application user owns the application schema which owns all the database objects in this schema. Now 50 of our developers need access to this application schema but giving away the password for the application user is risk as "Drop user application cascade" and wipe off all the objects. The option i have is to create 50 separate users with tablespace as application and grant all rights to application schema.
View 9 Replies
View Related
Dec 5, 2012
To make users under one schema.
1) user should have access of all objects with limited privileges.
How can i make it under schema?
View 3 Replies
View Related
Jan 1, 2013
As how do I query, as when was the last time or rather list of privileges changes done for a db user and what was the changes made?
View 1 Replies
View Related
Dec 10, 2010
I am a java developer and would like to install data locally in my computer for testing purpose.
I login as sysdba in sqlplus, created a user.
In the installation documentation it said :
This user should have at least the following privileges.
CREATE TABLE, CREATE VIEW, CREATE PROCEDURE, CREATE PUBLIC SYNONYM, CREATE USER, CREATE ROLE, CREATE SEQUENCE, CREATE SESSION CREATE TRIGGER, AND CREATE TYPE.
If you choose, you can grant DBA role to this user.
Note: Coeus Schema owner should have CREATE USER and ALTER USER right explicitly granted to it, not through a role like DBA.
1)How to grant all this prvileges to that user ?
2)How this user will have CREATE USER and ALTER USER right explicitly granted to it, not through a role like DBA ?
View 5 Replies
View Related