Windows Native Auth in Production in OCI mode
-
- Posts: 5
- Joined: Wed 29 Aug 2012 14:29
Windows Native Auth in Production in OCI mode
We have the following configuration currently working using ODP.NET:
Internet Explorer-based clients, connecting to a IIS Server using Windows Auth. ASP.NET is set to Impersonate the authenticated user. ASP.NET makes Oracle connections using Windows Native Authentication using ODP.NET. This functions well -- however there are some substantial bugs in ODP.NET regarding it's use in ASP.NET thus we are moving to Devart dotConnect for Oracle.
We would like to make the same configuration, or something similar (e.g. any configuration where each user is authenticated to their own account on the database) with dotConnect. Currently, I have dotConnect deployed to a test site, but native auth is not working in Direct mode. I am obtaining the error "ORA-01017." The sqlnet.ora file has SQLNET.AUTHENTICATION=(NTS). Again, this is working with ODP.NET but not dotConnect in OCI mode. (Additionally, dotConnect w/ WNA is working from our personal development machines) It's as if the sqlnet.ora file is being ignored, or Devart is loading a different set of Oracle client DLLs than it is told.
Please advise.
Internet Explorer-based clients, connecting to a IIS Server using Windows Auth. ASP.NET is set to Impersonate the authenticated user. ASP.NET makes Oracle connections using Windows Native Authentication using ODP.NET. This functions well -- however there are some substantial bugs in ODP.NET regarding it's use in ASP.NET thus we are moving to Devart dotConnect for Oracle.
We would like to make the same configuration, or something similar (e.g. any configuration where each user is authenticated to their own account on the database) with dotConnect. Currently, I have dotConnect deployed to a test site, but native auth is not working in Direct mode. I am obtaining the error "ORA-01017." The sqlnet.ora file has SQLNET.AUTHENTICATION=(NTS). Again, this is working with ODP.NET but not dotConnect in OCI mode. (Additionally, dotConnect w/ WNA is working from our personal development machines) It's as if the sqlnet.ora file is being ignored, or Devart is loading a different set of Oracle client DLLs than it is told.
Please advise.
-
- Devart Team
- Posts: 2420
- Joined: Wed 02 Nov 2011 09:44
Re: Windows Native Auth in Production in OCI mode
Windows Native Authentication is not supported in the Direct mode.NNPTC Database wrote:but native auth is not working in Direct mode
Perhaps you have more than one Oracle Client. You setup sqlnet.ora file for one Oracle Client, but use another one with dotConnect for Oracle in the OCI mode. You can set which Oracle Client to use with the "HOME" connection string parameter.NNPTC Database wrote:The sqlnet.ora file has SQLNET.AUTHENTICATION=(NTS). Again, this is working with ODP.NET but not dotConnect in OCI mode... It's as if the sqlnet.ora file is being ignored, or Devart is loading a different set of Oracle client DLLs than it is told.
For more information, please refer to Oracle connection string "HOME" parameter and
OracleConnectionStringBuilder "HOME" property.
Could you please specify the following:NNPTC Database wrote:(Additionally, dotConnect w/ WNA is working from our personal development machines)
1. The exception message and stack trace when it fails in the OCI mode;
2. The difference between your development and deployment environments;
3. dotConnect for Oracle version;
4. Oracle Server version;
5. Oracle Client version.
-
- Posts: 5
- Joined: Wed 29 Aug 2012 14:29
Re: Windows Native Auth in Production in OCI mode
Whoops, that comment about Direct Mode was a slip up. I meant that windows native auth is not working in OCI mode, in line with the subject.
The server machine has IIS 6.0 and Oracle 10g (10.2.0.5.0) running on it. (WNA using NTLM does not work over the network, IIS and Oracle must be installed on the same machine.) There are two oracle homes. One is OraDb10g_home1 (10.2.0.5.0) and the other is OraClient11g_home1 (11.2.0.2.0). We are specifying "home=OraClient11g_home1" in the connection string and both homes have sqlnet.ora files have SQLNET.AUTHENTICATION=(NTS).
I am unable to provide this information easily. The machine is on a intranet where data transfer is not convenient. If this is truly necessary, I can get it -- but I did not see any useful information.Could you please specify the following:
1. The exception message and stack trace when it fails in the OCI mode;
Development evironment is Microsoft Visual Studio 2010 using the development webserver. The oracle client is 11g (11.2.0.2.0)2. The difference between your development and deployment environments;
The server machine has IIS 6.0 and Oracle 10g (10.2.0.5.0) running on it. (WNA using NTLM does not work over the network, IIS and Oracle must be installed on the same machine.) There are two oracle homes. One is OraDb10g_home1 (10.2.0.5.0) and the other is OraClient11g_home1 (11.2.0.2.0). We are specifying "home=OraClient11g_home1" in the connection string and both homes have sqlnet.ora files have SQLNET.AUTHENTICATION=(NTS).
dotConnect for Oracle 7.1 Pro3. dotConnect for Oracle version;
Oracle 10g (10.2.0.5.0)4. Oracle Server version;
Oracle 11g (11.2.0.2.0)5. Oracle Client version.
-
- Posts: 5
- Joined: Wed 29 Aug 2012 14:29
Re: Windows Native Auth in Production in OCI mode
Additionally, I have setup a testbed with
IIS 7.0 + Oracle 11g Server (11.2.0.3.0) ONLY and am still having the same issue.
ORA-01017: invalid username/password.
Native auth works on that server from SQL*Plus, as well as when using ODP.NET in our Web Application.
Please advise.
IIS 7.0 + Oracle 11g Server (11.2.0.3.0) ONLY and am still having the same issue.
ORA-01017: invalid username/password.
Native auth works on that server from SQL*Plus, as well as when using ODP.NET in our Web Application.
Please advise.
-
- Posts: 5
- Joined: Wed 29 Aug 2012 14:29
Re: Windows Native Auth in Production in OCI mode
Some additional testing. In both setups, Devart is trying to connect as "NT AUTHORITY\SYSTEM" under ODP.NET it properly uses the user that the ASP.NET page is impersonating. If I set the AppPool to run under a specific user, it works, but not as the user visiting the ASP.NET page. TO reiterate, ODP.NET is working just fine under this configuration.
-
- Posts: 5
- Joined: Wed 29 Aug 2012 14:29
Re: Windows Native Auth in Production in OCI mode
Per Microsoft's Documentation (http://msdn.microsoft.com/en-us/library/ff647404.aspx) connection pooling should be per-user when impersonating the end-user in ASP.NET.
We would be willing to switch to some other method of connecting to the database as the currently authenticated user; if the DevArt team knows of an eligent way to do this. However every other method of which I am aware that accomplishes this task requires dyanmically generated per-session connection strings and replacing all the designer generated code to make connections. This is not feasible.
Please confirm that this support request is being addressed.
Devart dotConnect for Oracle does not seem to be implementing this. The connections are being made as the ApplicationPoolIdentity, rather than the current security context.The impersonation / delegation model does not allow you to make efficient use of database connection pooling because database access is performed by using connections that are tied to the individual security contexts of the original callers. This significantly limits the application's ability to scale to large numbers of users.
We would be willing to switch to some other method of connecting to the database as the currently authenticated user; if the DevArt team knows of an eligent way to do this. However every other method of which I am aware that accomplishes this task requires dyanmically generated per-session connection strings and replacing all the designer generated code to make connections. This is not feasible.
Please confirm that this support request is being addressed.
Re: Windows Native Auth in Production in OCI mode
We are processing your request.