dotnet-db-samples
dotnet-db-samples copied to clipboard
oracle
Support for Kerberos Authentication For Oracle DB in .Net Core
We need to connect Oracle DB via Kerberos in .Net Core. I came across an old thread - https://community.oracle.com/tech/developers/discussion/4288468/kerberos-support-for-odp-net-core which says that its not possible. Is this true as of now? Are there any Beta version of library for this feature avaiable?
Yes, it's true as of today. There's no support as of right now. The Oracle team is working with the MS .NET team to enable Kerberos with Oracle DB and .NET (Core). Code changes are required on both sides to enable Kerberos. We're making good progress. I will say more when we have something to announce.
@ElectricVampire I am curious to know why the need to use Kerberos authentication. Thanks.
@MaherJendoubi Inshort to enable AD based auth, currently we have one userId/password which is used across all connection string across all apps. Different userId for diff env.In prod things are easy, passwords are rotated automatically and apps use updated password from vault. Problem comes when humans are involved. In non-prod, lets say we rotate the password for local dev work user needs to fetch the password and update it in their connection string. If out of 59 developers in my team, one guys forgets and try with old password it will lock the user and now everyone is stuck with locked user. For security reasons we are not allowed to access the vault from local. There are many advantages of Kerberos but for me not having the password in connection string is the biggest one.
@alexkeh I was able to connect to my Oracle DB using Kerberos auth in .net core in latest version of https://www.nuget.org/packages/Oracle.ManagedDataAccess.Core/. It was accidental discovery for me as we were already using Kerberos.Net nuget in our project for some Mainframe SSO stuff and already had ora file present which i did not cleanup when i was last time trying to connect to db using kerberos.
Any documentation about this...I was really surprised to see this working....Real question is can i go ahead and use it in production.
@ElectricVampire Oracle is working with MS to support .NET (Core) Kerberos with Oracle DB. When both companies have completed their reviews and testing, we'll then be prepared to announce something.
We are working on a Proof of Concept and we were able to connect using Kerberos.NET 4.5.162 and Microsoft.Extensions.Logging.Abstractions Version 5.0.0 (and implicit dependency of the package Kerberos.NET).
For those who are trying to make this work: it is important to note that the connection doesn't work with the latest version of Kerberos.NET due to a lack of a method called "Parse" (maybe it has just changed location or parameters).
Another tricky thing is the configuration, which is a mix of sqlnet.ora and OracleConfiguration object, because there are some keys that are not exposed on the OracleConfiguration object.
Ah and don't forget to place your krb5.conf in your app's folder because it is what this implementation is waiting for. Hope that changes as well to consider the full path of the file.
Btw, @alexkeh, if you need people to test your implementation of Kerberos auth on .net Core,talk to me. I would love to help make this happen! :-)
The Parse method shouldn't throw an error with the latest Kerberos.NET version. Can you share any error information and/or trace? We're seeing this method works fine.
To provide some background on the sqlnet,ora only settings, MIT Kerberos for Windows is currently supported for managed ODP.NET. MIT loads its configuration settings when its DLLs are loaded. OracleConfiguration settings may not be set at that point. Thus, sqlnet.ora settings are used to avoid this possibility.
The krb5 config file in a location specified by the full path in sqlnet.ora should work. If you turn on ODP.NET tracing, you can see more details about what may be going wrong.
Hello @alexkeh thank you for answering and you are right!
I've reexecuted my test with the latest Kerberos.NET implementation and it is working and the error in the file's placement that I've got was due to the utilization of quotes on sqlnet.ora file.
For instance, to get the krb5.conf file working correctly I had to delete quotes from my config file as follows :
👎 Wrong config : SQLNET.KERBEROS5_CONF="C:\Program Files\Oracle\product\19.0.0\client_1\network\admin\kerberos\krb5.conf"
👍 Correct config: SQLNET.KERBEROS5_CONF=C:\Program Files\Oracle\product\19.0.0\client_1\network\admin\kerberos\krb5.conf
So far so good! Thank you :)
Couldn't connect to oracle v11. Is it out of support for mda.core Kerberos authentication? The apreq message, as far as I can see, only differs in the 'authenticator' part.
Oracle DB 11.2 is no longer supported for new client functionality being delivered nowadays.
Hi Alex, we recently migrated from .NET framework with Kerberos authentication to .NET Core (6 .0). And we arfe in BIG mess now and having issues to connect our application to Oracle using Kerberos. I get the exception Oracle.ManagedDataAccess.Client.OracleException: NA Kerberos5: Authentication handshake failure at stage'
So, what is the alternate solution to connect to Oracle from .NET 6 using Kerberos authentication if there is no support for Kerberos Authentication for Oracle DB in .Net Core now?
@SureshAkula917 For now, you can use Kerberos.NET from NuGet Gallery to provide Kerberos functionality with ODP.NET Core. Oracle and MS are finishing up having joint support for this solution. It's not yet official, but we're close.
HI @alexkeh, are there any samples or examples out that I can look at to implement Kerberos functionality with ODP.NET Core using .NET 6 in Visual Studio? Thanks in advance.
You should be able to follow the doc instructions for setting up ODP.NET Kerberos. Be sure to latest ODP.NET Core and Kerberos.NET versions from NuGet Gallery.
@ElectricVampire Oracle is working with MS to support .NET (Core) Kerberos with Oracle DB. When both companies have completed their reviews and testing, we'll then be prepared to announce something.
Alex, thank you for your tireless effort in making this happen!! I anxiously await.
Oracle and MS have concluded our ODP.NET Core Kerberos.NET support discussion. Official Oracle support will begin with ODP.NET Core 21.10.
Oracle and MS have concluded our ODP.NET Core Kerberos.NET support discussion. Official Oracle support will begin with ODP.NET Core 21.10.
Any timelines for when the package will be available in nuget, as latest version is 3.21.90.
Oracle and MS have concluded our ODP.NET Core Kerberos.NET support discussion. Official Oracle support will begin with ODP.NET Core 21.10.
Any timelines for when the package will be available in nuget, as latest version is 3.21.90.
Planned for an April release.
BTW, the current ODP.NET Core 3.21.90 will work with Kerberos.NET today. It's just that official support starts with 3.21.10.
We are facing below issue with kerberos.net today: https://github.com/dotnet/Kerberos.NET/issues/326 Hence wanted the timeline, also will this new version will be using kerberos.net nuget internally?
Kerberos.Net @mattsvi
Hi, I am trying to connect Oracle DB using Kerberos authentication from .Net Core. But it fails. Currently, I am using Oracle.ManagedDataAccess.Core nuget package. The .net code is published as package and hosted on IIS. The app pool is configured with user that has kerberos enabled in Oracle Database. Could you please help.
@KritikaSingh89 Assuming you execute the ODP.NET Kerberos setup instructions and installed one of the newer versions of Kerberos.NET, what error are you seeing? Is it failing in a basic Kerberos authentication or the failure occurs in a more complex scenario?
Hi @alexkeh,
I have not installed MIT our VM on which we will host .Net application on IIS to send request to Oracle DB. Is it must to install it ? Also, sql.net ora have configuration. SQLNET.KERBEROS5_CC_NAME=OSMSFT://. Also, do we have any reference link how to use kerberos.client to pass as Oracle connection?
Thanks & Regards, Kritika Singh
@KritikaSingh89 You don't need MIT Kerberos only for managed ODP.NET. Kerberos.NET is the requirement when using .NET Core.
I am not certain where to enter bug reports, so if any of you have a clue, let me know. Using Oracle.ManagedDataAccess.Core 3.21.100 C# .net v.7.0. Logging on I am getting: NA Kerberos5: Authentication handshake failure at stage: %s The %s indicates some kind of bug in the client library. Using sqlplus with a native 12c client on the same machine with the same client works just fine. sqlnet.ora:
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.KERBEROS5_CONF = c:\krb5\krb5.conf SQLNET.AUTHENTICATION_SERVICES= (KERBEROS5) SQLNET.KERBEROS5_CONF_MIT = TRUE SQLNET.ENCRYPTION_SERVER = REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER= (RC4_256) SQLNET.CRYPTO_CHECKSUM_SERVER = REQUIRED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1) SQLNET.KERBEROS5_CC_NAME = OSMSFT:// SQLNET.FALLBACK_AUTHENTICATION= TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=XXXXXXXXXX
TIA Henrik
@hwjensen Which Kerberos.NET version are you using? Can you turn on ODP.NET tracing and share the lines around the part of the trace that the error is occurring?
Thx for getting back to me!
I am using Oracle.ManagedDataAccess.Core 3.21.100, .Net 4.8.04084 Framework on Windows 10 Pro build 19045.2788. Assuming that the code in manageddataaccess is the same as in Kerberos.Net. Correct? I tried Kerberos.Net but that did work either, cannot remember the exact error though. If you think there is a point to using Kerberos.Net I will have a go. I am running Wireshark on the comms, and I realized that the Kerberos5pre keyword is not recognized anymore, so that is why I am using Kerberos5, which should otherwise not be the choice under Windows. OPD.NET tracing is an excellent idea which I will try out when I get back to work monday.
I can also run a trace on the server if you want, it is just that I have a hard time finding info in the massive log files generated.
KR Henrik
@hwjensen If you are using .NET Framework, then use managed ODP.NET and MIT Kerberos.
If you are using .NET (Core), use ODP.NET Core and Kerberos.NET.
Here's instructions for setting up managed ODP.NET and Kerberos.
Hi Alex
I have now had some more time with the dog and has added tracing. Some extracts:
2023-07-18 18:24:43.174165 TID:9 (CFG) (ENV) Machine Name : XXXXXX 2023-07-18 18:24:43.175157 TID:9 (CFG) (ENV) User Name : XXXXXXXX 2023-07-18 18:24:43.175212 TID:9 (CFG) (ENV) OS Version : Microsoft Windows NT 10.0.19045.0 2023-07-18 18:24:43.175263 TID:9 (CFG) (ENV) 64-bit OS : True 2023-07-18 18:24:43.175299 TID:9 (CFG) (ENV) 64-bit Process : False 2023-07-18 18:24:43.175364 TID:9 (CFG) (ENV) .NET Core Runtime Version : 7.0.7 2023-07-18 18:24:43.176484 TID:9 (CFG) (VER) Oracle Data Provider for .NET Core Driver Version : 3.1.21.1 2023-07-18 18:24:43.178464 TID:9 (CFG) (VER) Oracle Data Provider for .NET Core Driver Informational Version : 3.1.21.1:20230330 2023-07-18 18:24:43.178528 TID:9 (CFG) (.NET) SQLNET.FALLBACK_AUTHENTICATION : TRUE 2023-07-18 18:24:43.178540 TID:9 (CFG) (.NET) SQLNET.AUTHENTICATION_SERVICES : (KERBEROS5) 2023-07-18 18:24:43.178599 TID:9 (CFG) (.NET) SQLNET.KERBEROS5_CONF_MIT : TRUE 2023-07-18 18:24:43.178619 TID:9 (CFG) (.NET) SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER : (SHA1) 2023-07-18 18:24:43.178642 TID:9 (CFG) (.NET) SQLNET.CRYPTO_CHECKSUM_SERVER : REQUIRED 2023-07-18 18:24:43.178653 TID:9 (CFG) (.NET) NAMES.DIRECTORY_PATH : (TNSNAMES, EZCONNECT) 2023-07-18 18:24:43.178676 TID:9 (CFG) (.NET) SQLNET.ENCRYPTION_TYPES_SERVER : (RC4_256) 2023-07-18 18:24:43.178688 TID:9 (CFG) (.NET) SQLNET.KERBEROS5_CC_NAME : c:\krb5\kcache 2023-07-18 18:24:43.178710 TID:9 (CFG) (.NET) SQLNET.ENCRYPTION_SERVER : REQUIRED
and:
2023-07-18 18:24:43.850908 TID:12 (NET) SQLNET.KERBEROS5_CONF = c:\krb5\krb5.conf. SQLNET.KERBEROS_CC_NAME = c:\krb5\kcache 2023-07-18 18:24:43.944773 TID:12 (NET) (SQLNET) [Info] Cache did not contain a valid ticket for LMESDBAPI/lmesdbapi-lmesplus-nne.lmesplus.nne 2023-07-18 18:24:43.961452 TID:12 (NET) (SQLNET) Kerberos authentication failed : System.InvalidOperationException: Cannot request a service ticket until a user is authenticated at Kerberos.NET.Client.KerberosClient.CopyTicket(String spn) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1092 at Kerberos.NET.Client.KerberosClient.GetServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 591 at OracleInternal.Network.AnoKerberos.Authenticate(String KRB5Conf, String KRB5CCName, String SN, String Host, Byte[]& kkey) 2023-07-18 18:24:43.966123 TID:12 (NET) (ENT) TcpTransportAdapter.ConnectIterate() 2023-07-18 18:24:43.969146 TID:12 (PRI) (ENT) OracleConnectionImpl.Connect() 2023-07-18 18:24:43.969384 TID:12 (PRI) (ENT) OracleException.ctor() 2023-07-18 18:24:43.969688 TID:12 (PRI) (ENT) OracleError.ctor() 2023-07-18 18:24:43.969973 TID:12 (PRI) (EXT) OracleError.ctor() 2023-07-18 18:24:43.970005 TID:12 (PRI) (EXT) OracleException.ctor() 2023-07-18 18:24:43.970830 TID:12 (PRI) (SVC) (ERR) OracleConnectionImpl.Connect() (txnid=n/a) OracleInternal.Network.NetworkException (0x80004005): NA Kerberos5: Authentication handshake failure at stage: %s ---> System.InvalidOperationException: Cannot request a service ticket until a user is authenticated
It seems to me that the ticket cache is not loaded at the start of the authentication, and because of that, it is not possible to forward the TGT to the DB server.
Wonder if it would be possible to force feed the cache before starting the authentication? Any ideas?
BTW; Kerberos.Net is version 4.6.20