Support for Kerberos Authentication For Oracle DB in .Net Core #237
Comments
|
Yes, it's true as of today. There's no support as of right now. The Oracle team is working with the MS .NET team to enable Kerberos with Oracle DB and .NET (Core). Code changes are required on both sides to enable Kerberos. We're making good progress. I will say more when we have something to announce. |
|
@ElectricVampire I am curious to know why the need to use Kerberos authentication. Thanks. |
|
@MaherJendoubi Inshort to enable AD based auth, currently we have one userId/password which is used across all connection string across all apps. Different userId for diff env.In prod things are easy, passwords are rotated automatically and apps use updated password from vault. |
|
@ElectricVampire Thank you for explaining the rationale behind. |
|
@alexkeh I was able to connect to my Oracle DB using Kerberos auth in .net core in latest version of https://www.nuget.org/packages/Oracle.ManagedDataAccess.Core/. Any documentation about this...I was really surprised to see this working....Real question is can i go ahead and use it in production. |
|
@ElectricVampire Oracle is working with MS to support .NET (Core) Kerberos with Oracle DB. When both companies have completed their reviews and testing, we'll then be prepared to announce something. |
|
We are working on a Proof of Concept and we were able to connect using Kerberos.NET 4.5.162 and Microsoft.Extensions.Logging.Abstractions Version 5.0.0 (and implicit dependency of the package Kerberos.NET). For those who are trying to make this work: it is important to note that the connection doesn't work with the latest version of Kerberos.NET due to a lack of a method called "Parse" (maybe it has just changed location or parameters). Another tricky thing is the configuration, which is a mix of sqlnet.ora and OracleConfiguration object, because there are some keys that are not exposed on the OracleConfiguration object. Ah and don't forget to place your krb5.conf in your app's folder because it is what this implementation is waiting for. Hope that changes as well to consider the full path of the file. Btw, @alexkeh, if you need people to test your implementation of Kerberos auth on .net Core,talk to me. I would love to help make this happen! :-) |
|
The Parse method shouldn't throw an error with the latest Kerberos.NET version. Can you share any error information and/or trace? We're seeing this method works fine. To provide some background on the sqlnet,ora only settings, MIT Kerberos for Windows is currently supported for managed ODP.NET. MIT loads its configuration settings when its DLLs are loaded. OracleConfiguration settings may not be set at that point. Thus, sqlnet.ora settings are used to avoid this possibility. The krb5 config file in a location specified by the full path in sqlnet.ora should work. If you turn on ODP.NET tracing, you can see more details about what may be going wrong. |
|
Hello @alexkeh thank you for answering and you are right! I've reexecuted my test with the latest Kerberos.NET implementation and it is working and the error in the file's placement that I've got was due to the utilization of quotes on sqlnet.ora file. For instance, to get the krb5.conf file working correctly I had to delete quotes from my config file as follows : 👎 Wrong config : 👍 Correct config: So far so good! Thank you :) |
|
Couldn't connect to oracle v11. Is it out of support for mda.core Kerberos authentication? The apreq message, as far as I can see, only differs in the 'authenticator' part. |
|
Oracle DB 11.2 is no longer supported for new client functionality being delivered nowadays. |
|
Hi Alex, we recently migrated from .NET framework with Kerberos authentication to .NET Core (6 .0). And we arfe in BIG mess now and having issues to connect our application to Oracle using Kerberos. I get the exception Oracle.ManagedDataAccess.Client.OracleException: NA Kerberos5: Authentication handshake failure at stage' So, what is the alternate solution to connect to Oracle from .NET 6 using Kerberos authentication if there is no support for Kerberos Authentication for Oracle DB in .Net Core now? |
|
@SureshAkula917 |
|
HI @alexkeh, are there any samples or examples out that I can look at to implement Kerberos functionality with ODP.NET Core using .NET 6 in Visual Studio? Thanks in advance. |
|
You should be able to follow the doc instructions for setting up ODP.NET Kerberos. Be sure to latest ODP.NET Core and Kerberos.NET versions from NuGet Gallery. |
Alex, thank you for your tireless effort in making this happen!! I anxiously await. |
|
Oracle and MS have concluded our ODP.NET Core Kerberos.NET support discussion. Official Oracle support will begin with ODP.NET Core 21.10. |
Any timelines for when the package will be available in nuget, as latest version is 3.21.90. |
Planned for an April release. BTW, the current ODP.NET Core 3.21.90 will work with Kerberos.NET today. It's just that official support starts with 3.21.10. |
|
We are facing below issue with kerberos.net today: dotnet/Kerberos.NET#326 |
|
Yes, ODP.NET Core will depend on Kerberos.NET. |
Hi, I am trying to connect Oracle DB using Kerberos authentication from .Net Core. But it fails. Currently, I am using Oracle.ManagedDataAccess.Core nuget package. The .net code is published as package and hosted on IIS. The app pool is configured with user that has kerberos enabled in Oracle Database. Could you please help. |
|
@KritikaSingh89 Assuming you execute the ODP.NET Kerberos setup instructions and installed one of the newer versions of Kerberos.NET, what error are you seeing? Is it failing in a basic Kerberos authentication or the failure occurs in a more complex scenario? |
|
Hi @alexkeh, I have not installed MIT our VM on which we will host .Net application on IIS to send request to Oracle DB. Is it must to install it ? Also, sql.net ora have configuration. SQLNET.KERBEROS5_CC_NAME=OSMSFT://. Also, do we have any reference link how to use kerberos.client to pass as Oracle connection? Thanks & Regards, |
|
@KritikaSingh89 You don't need MIT Kerberos only for managed ODP.NET. Kerberos.NET is the requirement when using .NET Core. |
|
I am not certain where to enter bug reports, so if any of you have a clue, let me know. NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) SQLNET.KERBEROS5_CONF = c:\krb5\krb5.conf TIA |
|
@hwjensen Which Kerberos.NET version are you using? Can you turn on ODP.NET tracing and share the lines around the part of the trace that the error is occurring? |
|
Thx for getting back to me! I am using Oracle.ManagedDataAccess.Core 3.21.100, .Net 4.8.04084 Framework on Windows 10 Pro build 19045.2788. I can also run a trace on the server if you want, it is just that I have a hard time finding info in the massive log KR |
|
@hwjensen If you are using .NET Framework, then use managed ODP.NET and MIT Kerberos. If you are using .NET (Core), use ODP.NET Core and Kerberos.NET. Here's instructions for setting up managed ODP.NET and Kerberos. |
|
Hi Alex I have now had some more time with the dog and has added tracing. Some extracts: 2023-07-18 18:24:43.174165 TID:9 (CFG) (ENV) Machine Name : XXXXXX and: 2023-07-18 18:24:43.850908 TID:12 (NET) SQLNET.KERBEROS5_CONF = c:\krb5\krb5.conf. SQLNET.KERBEROS_CC_NAME = c:\krb5\kcache It seems to me that the ticket cache is not loaded at the start of the authentication, and because of that, it is not possible Wonder if it would be possible to force feed the cache before starting the authentication? Any ideas? BTW; Kerberos.Net is version 4.6.20 |
|
Loading the cache is always the correct procedure for Kerberos. In an environment that correctly points to the sqlnet.ora with the Kerberos configuration, you execute okinit successfully to acquire the krb creds and load the credential cache. Note, okinit will read the sqlnet.ora, determining the krb server AND the credential cache from the sqlnet.ora. You can use oklist to verify valid credentials in the credential cache. If the credentials in the cache are expired, first perform a okdstry to clean out the cache and then a new okinit. This assumes you are using the credential cache, not MSLSA-based Kerberos |
|
I thought okinit was a server thing? I have never used okinit on a client a have never needed it before, also sqlplus is perfectly capable of loading the cache on its own. The thing is that sqlplus fails (ORA-28547) when I attempt to config a real file rather than the memory cache (OSMSFT://), so maybe this is the problem for Kerberos.Net as well? Should result in an earlier error when tries to initialize the cache though. I tried running kinit: bruce>kinit --principal XXXXXX --realm=XXXXXX.XXX -V --cache=C:\krb5\kcache Password for XXXXXX@XXXX.XXX: ********* Invalid checksum bruce> Do you know what that means? Does this mean that ODP.Net does not use the token it gets from the AD at all? Thank you for your help! |
|
Use okinit instead of kinit. Kinit is not officially supported for ODP.NET Kerberos adapters, which is why okinit is specifically mentioned to be used in our doc. Okinit uses the sqlnet.ora settings instead of having to specify everything on the command line, which makes it easier to use. For okinit, you just give it the user id for the default domain in the krb.conf file and then it will prompt you for the password. |
|
You are right the bruce/kinit does not work, I found an old 12c okinit which did work and the ticket exchange now works, sort of. It seems the cache expires and needs to be initialized by okinit regularly, but we can find a way to work around this. Thank you for your help, much appreciated! |
Hi Alex, All our .NET 6.0 applications are working great connecting to Oracle database using Kerberos with .NET Framework 4.6.1 class library (This class library with ver 4.6.1 using as a connector to connect to database with Kerberos) Now we are in the process of migrating our applications to .NET 8.0 and saw your message "Announcing Oracle Support for .NET 8" posted on Nov 17, 2023. I have installed Kerberos.NET Ver 4.6.50 and Oracle.ManagedDataAccess.Core ver 3.21.130 and tried to connect to Oracle database with the same kerberos setup that we already have (which is working fine with .NET Framework 4.6.1). But it fails and get the below exceptions..
I did not find any examples or documentation anywhere on the net how to use Kerberos.NET with Oracle.ManagedDataAccess.Core. It would be so helpful if you can provide us some samples or examples. |
|
@SureshAkula917 Can you share your ODP.NET trace so that I can see specifically where and how the error manifested? The trace will also provide more details about how you have set up Kerberos. You said your .NET 6.0 apps are working with .NET Framework 4.6.1 with ODP.NET and Kerberos working. Which ODP.NET provider type (managed or core), version, and Kerberos.NET (if applicable) were you using here? |
@SureshAkula917 I had the same issue with same versions of packages and .net and my issue was resolved by changing the sqlnet.ora file value: SQLNET.KERBEROS5_CC_NAME = OSMSFT:// to SQLNET.KERBEROS5_CC_NAME = MSLSA I hope this helps someone. |
We need to connect Oracle DB via Kerberos in .Net Core. I came across an old thread - https://community.oracle.com/tech/developers/discussion/4288468/kerberos-support-for-odp-net-core which says that its not possible.
Is this true as of now?
Are there any Beta version of library for this feature avaiable?
The text was updated successfully, but these errors were encountered: