Currently, we can login as usename : EXTERNAL. there is no sign in as username/password through Oracle database with kerberos/AD on Toad for Oracle
I don't understand how this would work.
If you enter a username/password, that's what we send to Oracle. If you need to login with OS authentication, the "EXTERNAL" keyword tells Toad "don't send a username/password, and the Oracle client will figure it out".
Are you talking about kerberos + proxy authentication? If so, you can do something like
Username: EXTERNAL[PROXIED_USERNAME]
Password: blank
see this thread: Issue Login into Oracle DB from Toad - #13 by Tharakesh
How would you login with sql*plus (from your desktop, not on the database server)?
I have to generate a token and then login to sqlplus /@. It is important to note that when you generate a token it will prompt you for the password
To geneate token following is the command we use
okinit @
Robert
It sounds like the username/password that you supply is not for Oracle, but Kerberos? Is that right?
So you get the token and then login without a username/password anyway? How is this a security benefit if it works even when you don't get the token? I'm not trying to give you a hard time, just trying to understand.
Though you have generated token, I cannot login to database without giving kerberos password in sql developer password filed.
so my point is without Kerberos password though you have generated token, you need kerberos password to login to the database using sqldevelper
in Toad, you just login to database as external, not even with token generated
Robert
Thanks for the information.
I'm not saying that we won't add this to Toad, but if we do, we won't take away the EXTERNAL option because a lot of people use that.
Any update to this , has toad for oracle added this enhancement for kerbors. eg We should be able to generate a token [ using userid/pass to kerboros]and then use the token to connect to oracle , the way sql developer does. eg in sql developer you can enter user id/ Password and use kerbors authentication method to connect to database. Toad only has EXTERNAL to connect using only
Sorry, we haven't done anything with this.
Hi John,
How does EXTERNAL[PROXYUSERID] works ..
We have a requirement where the windows client logins to the domain using his userid , in our kerboros setup he can login to oracle db using EXTERNAL .
The user has another account in AD , call it sid , we want him to login using this account . If he creates kerboros ticket with okinit using sid , how does toad EXTERNAL will work.
Basically he has 2 kerobors token , how do we specify to toad to use the 2nd token ie sid token ..
Eg sqldeveloper we have kerboros authentication where you can specify userid and password , so you can use any id.
But toad how do we specify use 2nd userid , since it has only EXTERNAL option ?
Thank you for your support.
Trinath
I don't know how SQL Developer achieves this. Toad does not interact with Kerberos in any way. This all happens at the Oracle client level.
EXTERNAL[PROXYUSERID] is for OS authentication + Oracle Proxy connection. Maybe it will work for you in this case, I'm not sure
When you connect in Toad using EXTERNAL, we send blanks for both username and password to the database, and Oracle's external authentication kicks in.
from This post, 2nd to the last reply:
I don’t have Kerberos here, but to test it I use OS Authentication, which seems to work the same way as far as the database goes. I’ll describe my set up and hopefully it will help you understand what’s going on.
So my windows user in the database ends up being “OPS$PROD\JDORLON” (and I can log in as blank or EXTERNAL with this, without knowing the password). This is your user A.
Now, if I go into the Schema Browser, change object type to USERS, and click on user B in the list, then on the right, on the Proxies tab, I’ll see OPS$PROD\JDORLON. That was set up with this command:
ALTER USER B grant connect through “OPS$PROD\JDORLON”;
With Toad 12.9 and newer, logging in with EXTERNAL[B] (with blank password) works. I don’t get any prompt at all - it just connects. I don’t need to know B’s password because of the proxy grant.