Using external operating system account validation in Windows oracle11g

Install oracle11g under WINDOWS2008R2, you can use the OS account to log on to Oracle on the server where Oracle is installed, and the remote OS, such as Win7, can also be logged on using the local OS account.

Multiple parameters need to be set.

Log on to Oracle with DBA authority

C:\users\administrator>sqlplus/nolog

Sql*plus:release 11.2.0.1.0 Production on February 12 16:39:03 2015

Copyright (c) 1982, Oracle. All rights reserved.

Sql> Conn/as SYSDBA

is connected.

Sql> Show User
USER is "SYS"

If the user is shown as SYS, it is successful to use OS account authentication for the server's native computer.

If not, then you need to identify some places.

Installation path \product\11.2.0\dbhome_1\network\admin

Under the Sqlnet.ora file

Sqlnet. Authentication_services= (NTS)

Whether there is NTSin parentheses, (none,nts) can also

NAMES. Directory_path= (TNSNames, Ezconnect)

Here the tnsnames is corresponding to the Tnsnames.ora file, is to sqlplus command parsing SID flag

Sql> conn/@orcl

This mark is ORCL, the corresponding file in the ORCL explanation host,port, and service_name

Of course, you can log in with the SYS account and password.

Sql> Conn Sys/password as Sysdba

is connected.

Determining initialization parameters

①sql> Show Parameter Os_authent_prefix

NAME TYPE VALUE
------------------------------------ ----------- ------------
Os_authent_prefix string ops$
Sql>

This ops$ is a prefix, can be empty, but not null, empty use "" just fine.

This is to differentiate between an Oracle user or an OS user, and the OS user is preceded by a ops$

② is available for remote clients,

Sql> Show Parameter Remote_os_authent

NAME TYPE VALUE
------------------------------------ ----------- ---------
Remote_os_authent Boolean FALSE

This is shown as false and must be modified

Sql>alter SYSTEM SET remote_os_authent = TRUE SCOPE = SPFILE;

Then restart the database

SHUTDOWN IMMEDIATE
STARTUP

③ Remote Connection parameters

Sql> Show Parameter Remote_login_passwordfile

NAME TYPE VALUE
------------------------------------ ----------- -----------------
Remote_login_passwordfile string EXCLUSIVE

EXCLUSIVE can do it.

None is a remote password file is not allowed,gkfx appears in the old version, and the current and exclusive effects are the same.

and start mapping OS accounts in Oracle.

Sql> Create user ops$administrator identified externally;

User created.

Authorization to connect, etc.

Sql> Grant Connect,resource to Ops$administrator;
Grant succeeded.

And now log on to the server and see

Sql> Conn/

is connected.

Sql> Show User
USER is "Ops$administrator"

Add as SYSDBA in order to log in with the database administrator mode

Enter the remote continuation below

Installing Oracle's client software in client Win7

After configuring the SID connection, the parameters in the Sqlnet.ora file must also have NTS, which is the key to OS authentication

NAMES. Directory_path= (TNSNames, Ezconnect) must also have

Editing Tnsnames.ora is also key

ORCL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP) (HOST = ORACLE) (PORT = 1521))
(Connect_data =
(SERVER = dedicated)
(service_name = ORCL)
)
)

Here (HOST = ORACLE) is the machine name of the server that installed windows2008, if there is no domain support, need to bring the full domain name, (service_name = ORCL) is the service name defined on the remote server, can not be wrong.

Then try it on the client.

Sql> Conn/

is connected.

Sql> Show User
USER is "Ops$administrator"

This convenience is convenient, but the safety is lost.

To try, in the client to do a administrator account, but with the server's administrator account password is different, can also connect it, the answer is yes, or can. In other words, when the remote_os_authent is true, the server side is not confirm the password, is the client's OS on the confirmation of the password, then the client if they have administrator rights, then do what the name of the account can be, there is no security, Of course, the use must be in isolation and the internet environment, or die more ugly. should also be used in the domain environment, the client's login users are controlled by the domain, authenticated user name with domain authentication, to ensure that both client and server-side authentication can be trusted. If you want to ignore the domain name authentication user name, you can modify the registry in the server-side OS

Hkey_local_machine\software\oracle\key_oradb11g_home1

Add text column Osauth_prefix_domain with a value of false

This is certainly not recommended.

This article from "Genius without that 1% is absolutely impossible" blog, please be sure to keep this source http://xushen.blog.51cto.com/1673219/1614106

Using external operating system account validation in Windows oracle11g