Windows Native Auth in Production in OCI mode

[NNPTC Database]

We have the following configuration currently working using ODP.NET:

Internet Explorer-based clients, connecting to a IIS Server using Windows Auth. ASP.NET is set to Impersonate the authenticated user. ASP.NET makes Oracle connections using Windows Native Authentication using ODP.NET. This functions well -- however there are some substantial bugs in ODP.NET regarding it's use in ASP.NET thus we are moving to Devart dotConnect for Oracle.

We would like to make the same configuration, or something similar (e.g. any configuration where each user is authenticated to their own account on the database) with dotConnect. Currently, I have dotConnect deployed to a test site, but native auth is not working in Direct mode. I am obtaining the error "ORA-01017." The sqlnet.ora file has SQLNET.AUTHENTICATION=(NTS). Again, this is working with ODP.NET but not dotConnect in OCI mode. (Additionally, dotConnect w/ WNA is working from our personal development machines) It's as if the sqlnet.ora file is being ignored, or Devart is loading a different set of Oracle client DLLs than it is told.

Please advise.

[Pinturiccio]

but native auth is not working in Direct mode

Windows Native Authentication is not supported in the Direct mode.

The sqlnet.ora file has SQLNET.AUTHENTICATION=(NTS). Again, this is working with ODP.NET but not dotConnect in OCI mode... It's as if the sqlnet.ora file is being ignored, or Devart is loading a different set of Oracle client DLLs than it is told.

Perhaps you have more than one Oracle Client. You setup sqlnet.ora file for one Oracle Client, but use another one with dotConnect for Oracle in the OCI mode. You can set which Oracle Client to use with the "HOME" connection string parameter.
For more information, please refer to Oracle connection string "HOME" parameter and
OracleConnectionStringBuilder "HOME" property.

(Additionally, dotConnect w/ WNA is working from our personal development machines)

Could you please specify the following:
1. The exception message and stack trace when it fails in the OCI mode;
2. The difference between your development and deployment environments;
3. dotConnect for Oracle version;
4. Oracle Server version;
5. Oracle Client version.

[NNPTC Database]

Whoops, that comment about Direct Mode was a slip up. I meant that windows native auth is not working in OCI mode, in line with the subject.

Could you please specify the following:
1. The exception message and stack trace when it fails in the OCI mode;

I am unable to provide this information easily. The machine is on a intranet where data transfer is not convenient. If this is truly necessary, I can get it -- but I did not see any useful information.

2. The difference between your development and deployment environments;

Development evironment is Microsoft Visual Studio 2010 using the development webserver. The oracle client is 11g (11.2.0.2.0)

The server machine has IIS 6.0 and Oracle 10g (10.2.0.5.0) running on it. (WNA using NTLM does not work over the network, IIS and Oracle must be installed on the same machine.) There are two oracle homes. One is OraDb10g_home1 (10.2.0.5.0) and the other is OraClient11g_home1 (11.2.0.2.0). We are specifying "home=OraClient11g_home1" in the connection string and both homes have sqlnet.ora files have SQLNET.AUTHENTICATION=(NTS).

3. dotConnect for Oracle version;

dotConnect for Oracle 7.1 Pro

4. Oracle Server version;

Oracle 10g (10.2.0.5.0)

5. Oracle Client version.

Oracle 11g (11.2.0.2.0)

[NNPTC Database]

Additionally, I have setup a testbed with
IIS 7.0 + Oracle 11g Server (11.2.0.3.0) ONLY and am still having the same issue.

ORA-01017: invalid username/password.

Native auth works on that server from SQL*Plus, as well as when using ODP.NET in our Web Application.

Please advise.

[NNPTC Database]

Some additional testing. In both setups, Devart is trying to connect as "NT AUTHORITY\SYSTEM" under ODP.NET it properly uses the user that the ASP.NET page is impersonating. If I set the AppPool to run under a specific user, it works, but not as the user visiting the ASP.NET page. TO reiterate, ODP.NET is working just fine under this configuration.

[NNPTC Database]

Per Microsoft's Documentation (http://msdn.microsoft.com/en-us/library/ff647404.aspx) connection pooling should be per-user when impersonating the end-user in ASP.NET.

The impersonation / delegation model does not allow you to make efficient use of database connection pooling because database access is performed by using connections that are tied to the individual security contexts of the original callers. This significantly limits the application's ability to scale to large numbers of users.

Devart dotConnect for Oracle does not seem to be implementing this. The connections are being made as the ApplicationPoolIdentity, rather than the current security context.

We would be willing to switch to some other method of connecting to the database as the currently authenticated user; if the DevArt team knows of an eligent way to do this. However every other method of which I am aware that accomplishes this task requires dyanmically generated per-session connection strings and replacing all the designer generated code to make connections. This is not feasible.

Please confirm that this support request is being addressed.

[Shalex]

We are processing your request.