Enabling OS authentication for Oracle databases running on Windows prevents password authenticated connections from other domains without trust relationships.  Eg, RMAN running in the pre-production domain wouldn’t be able to use a database account password to connect to an RMAN catalogue database in the production domain.

Setting SQLNET_AUTHENTICATION_SERVICES=(NTS) triggers Oracle to check group membership of the client’s domain account, assuming that it will be resolvable by the host.  If it isn’t, (no trust relationship with the client’s domain), then even if a password is supplied (or wallet used), then the connection attempt will fail with ORA-12638.

Work-Arounds

One workaround is to set SQLNET_AUTHENTICATION_SERVICES=(NONE), but doing so disables OS authentication, including the very handy: “connect / as sysdba”.

Another is to use JDBC thin drivers, which obscure the domain name from the OS user.

The domain name can also be hidden (or at least the relevant NTS authentication code bypassed) using the runas command.  This method allows scripts to be wrapped and scheduled, eg RMAN backups.

The runas command is directed to use a fake user and password combination, but it silently fails, but as a side effect, the domain name is stripped out of the information sent to the remote database.

This example shows how to create a non-interactive batch file that can run an RMAN backup when the catalogue database is in a different domain.  (Authentication is achieved by a password stored in the wallet referenced by %TNS_ADMIN%/sqlnet.ora).

rman_ORCL.bat
@echo off
echo 'nosuchpw' | runas /noprofile /netonly /user:nosuchuser "C:\ORADBA\rman.bat ORCL D:\oracle\11.2.0.4_db1"
rman.bat
@echo off
cd /D C:\temp
set TNS_ADMIN=D:\oracle\RMAN\TNSADMIN
set ORACLE_SID=%1%
set NLS_DATE_FORMAT=DD-MON-YYYY HH24:MI:SS
cmd /k %2%\BIN\rman target / catalog=/@rmancat
exit /B

 

Also see NTS Authentication Breaks Password Authentication

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s