Kerberos authentication

raghu.mutyam · August 12, 2025, 6:16pm

Hi,

I created a user account in AWS Oracle RDS with external authentication as follows:

CREATE USER "USER.NAME@DOMAIN.LOCAL"
IDENTIFIED EXTERNALLY AS 'USER.NAME@DOMAIN.LOCAL'
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;

The AWS RDS instance has been enabled with Kerberos authentication and attached to a MS Active Directory. The user account I am referring to has proxy enabled with an application schema.

ALTER USER APPSCHEMA
GRANT CONNECT THROUGH "USER.NAME@DOMAIN.LOCAL";

After I login to SQL Developer (USER.NAME@DOMAIN.LOCAL/@SERVICE_NAME), I am not able to query/access objects available under application schema.

I also would like to know how I should be able to connect to Oracle RDS in AWS with Kerberos authentication from Toad. I am running Toad version 24.2.275.4664.

Please advise.

Thanks,

Raghu

JohnDorlon · August 12, 2025, 6:46pm

See this thread: Issue Login into Oracle DB from Toad - #11 by Tharakesh

Oh, and I'll add - For proxy users and kerberos, you will need to have an Oracle client installed and the "Connect using Oracle client" box should be checked on Toad's login window. And of course, you'll need Kerberos configured in that Oracle client, with the appropriate settings in SQLnet.ora.

raghu.mutyam · August 12, 2025, 8:30pm

Thank you for the update.

Yes, “Connect using Oracle client” option is enabled already. Toad is using 12.2 Oracle client. Here are the entries in the sqlnet.ora file.

SQLNET.KERBEROS5_CONF=D:\app\client\product\12.2.0\client_1\network\admin\krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
NAMES.DIRECTORY_PATH=(TNSNAMES, EZCONNECT)
SQLNET.AUTHENTICATION_SERVICES=(kerberos5pre,kerberos5,beq,none)
LOG_DIRECTORY_CLIENT=D:\app\client\product\12.2.0\client_1\Network\Log
LOG_FILE_CLIENT=sqlnet_log
SQLNET.EXPIRE_TIME=0
TRACE_DIRECTORY_CLIENT=D:\app\client\product\12.2.0\client_1\Network\Trace
TRACE_FILE_CLIENT=sqlnet_trc
TRACE_FILELEN_CLIENT=100
TRACE_FILENO_CLIENT=3
TRACE_LEVEL_CLIENT=OFF
SSL_CLIENT_AUTHENTICATION=FALSE
TRACE_TIMESTAMP_CLIENT=ON
TRACE_UNIQUE_CLIENT=ON
USE_DEDICATED_SERVER=OFF

How am I supposed to enter username and password in Toad to connect using Kerberos authentication?

AD based username: USER.NAME@DOMAIN.LOCAL

Please let me know if I am missing anything here.

Thanks,

Raghu

JohnDorlon · August 12, 2025, 9:21pm

The username should be like one of these, and the password blank

EXTERNAL
EXTERNAL[APPSCHEMA]

Topic		Replies	Views
Using Kerberos with Toad Toad for Oracle & DevOps Toolkit	4	7279	April 18, 2017
Kerberos Authentication in toad Toad for Oracle & DevOps Toolkit	1	888	September 12, 2022
How to using OS Authentication to connect to Oracle via TOAD Toad for Oracle & DevOps Toolkit	2	4143	May 2, 2014
Issue Login into Oracle DB from Toad Toad for Oracle & DevOps Toolkit	16	8177	August 12, 2025
Request to add username/password through Oracle database with kerberos/AD on Toad for Oracle Idea Pond	11	2098	November 13, 2024

Kerberos authentication

Related topics