Setting Up Kerberos SSO Authentication for Oracle Database

This guide describes how to configure Kerberos Single Sign-On (SSO) authentication to allow Active Directory users to access an Oracle Database without a password. It covers server-side setup for Linux, as well as client-side setup for both Windows and Linux.

How Oracle SSO Works

The Server Suite agent manages /etc/krb5.conf on both the server and Linux client machines, so Oracle Database interacts with Active Directory transparently — no manual Kerberos configuration is required. When an AD user logs in, their existing Kerberos ticket is used automatically. The agent also handles periodic service account password renewal for the server-side keytab, keeping credentials fresh without manual intervention.

Prerequisites

Before you begin, ensure you have the following:

Active Directory environment: A Windows AD environment managed by Server Suite, with a domain name, DNS server, zone name, and at least one AD user configured.
Server Suite agent package: Required for joining Linux machines to the AD zone and managing Kerberos configuration.
Oracle Linux server machine: With a configured hostname and network access.
Oracle Database package: The RPM installer for the Oracle Database version you are deploying.
Oracle client packages: Available from the Oracle website for Windows, Linux, macOS, and other platforms. You will need the basic package, the SQL*Plus package, and the tools package.

Server Setup

Start by setting up the server:

Step 1: Configure the Oracle Linux Machine

Step 2: Install and Configure the Server Suite Agent

Step 3: Install and Configure Oracle Database

Step 4: Configure Kerberos Authentication

Step 5: Restart Oracle Database

Step 6: Add the AD User to the Database

Step 1: Configure the Oracle Linux Machine

Set the hostname:

sudo hostnamectl set-hostname (your-hostname)
Reboot the machine:

sudo reboot
Find your network connection name:

nmcli connection show
Configure DNS to point to your AD DNS server and set the search domain:

sudo nmcli con mod (connection-name) ipv4.dns "(dns-server-ip) (gateway-ip)"

sudo nmcli con mod (connection-name) ipv4.dns-search "(domain-name)"
Restart NetworkManager to apply the changes:

sudo systemctl restart NetworkManager.service

Note: If your AD DNS server does not forward queries to your network gateway and internet access is needed during installation (for example, when installing Perl modules), add your gateway IP to the DNS configuration as shown above. This is not required for Kerberos SSO itself.

Step 2: Install and Configure the Server Suite Agent

Install the required Perl modules:

sudo dnf install perl-CPAN
Extract and run the Server Suite installer:

tar xvzf ./(agent-package.tgz)

sudo ./install.sh -n
Join the machine to your AD zone:

sudo adjoin -z (zone-name) (domain-name)
Create DNS records for the machine:

sudo addns -A

Step 3: Install and Configure Oracle Database

Install the Oracle Database preinstall package and the database RPM:

sudo dnf install -y oracle-ai-database-preinstall-26ai

sudo dnf -y localinstall ./(oracle-database-package.rpm)
Create the demo database. Set a system password and run the configure script:

export DB_PASSWORD=(your-password)

(echo "${DB_PASSWORD}"; echo "${DB_PASSWORD}";) | sudo /etc/init.d/oracle-free-26ai configure
Add the Oracle environment variables to /etc/bashrc:

export ORACLE_HOME=/opt/oracle/product/26ai/dbhomeFree

export ORACLE_SID=FREE

export PATH=$ORACLE_HOME/bin:$PATH
Reload bashrc:

source ~/.bashrc
Switch to the oracle user to configure Net Services:

sudo su - oracle
Edit tnsnames.ora under the Oracle network admin folder ($ORACLE_HOME/network/admin/) to define your database service entries, using the fully qualified hostname of your server machine. Grant other users read access when done:

chmod o+r ${ORACLE_HOME}/network/admin/tnsnames.ora
Edit listener.ora under the Oracle network admin folder to configure the TCP listener on port 1521, again using the fully qualified hostname.

Step 4: Configure Kerberos Authentication

Create a Kerberos service account and keytab using the adkeytab utility from Server Suite. You have two options:

Standalone service account: Switch to the oracle user. Create a dedicated service account and store the keytab under the Oracle network admin director:

adkeytab -n -P oracle -K ${ORACLE_HOME}/network/admin/krb5.keytab -c "cn=Users" -S (hostname) -W (hostname)
Machine account: Add Oracle service principals to the existing machine keytab (/etc/krb5.keytab) and grant the oracle user read access.

sudo adkeytab -a -P oracle -K /etc/krb5.keytab

If ACLs are supported on your file system:

sudo setfacl -m u:oracle:r /etc/krb5.keytab

Otherwise, use the traditional UNIX permission model:

sudo usermod -aG root oracle

sudo chmod g+r /etc/krb5.keytab

Security note: Keytab files contain sensitive Kerberos keys. Restrict access carefully — ideally mode 600 with appropriate ownership — and tightly control access to the oracle account.

Next, edit sqlnet.ora under the Oracle network admin folder to enable Kerberos authentication. Key settings include:

SQLNET.KERBEROS5_KEYTAB: Path to the keytab file. Use the Oracle network admin folder keytab for a standalone service account, or /etc/krb5.keytab for the machine account.
SQLNET.AUTHENTICATION_SERVICES= (beq, tcps, kerberos5pre, kerberos5)
SQLNET.KERBEROS5_CONF = /etc/krb5.conf: This file is managed automatically by the Delinea Server Suite agent.
SQLNET.KERBEROS5_CONF_MIT = TRUE
SQLNET.FALLBACK_AUTHENTICATION = TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle

Grant other users read access to the file:

chmod o+r ${ORACLE_HOME}/network/admin/sqlnet.ora

Then connect to the database as sysdba and set os_authent_prefix to an empty string:

sqlplus sys/(password)@//localhost:1521/free as sysdba

ALTER SYSTEM SET os_authent_prefix='' SCOPE=spfile;

Step 5: Restart Oracle Database

Switch back to the admin user and restart the database:

sudo /etc/init.d/oracle-free-26ai stop

sudo /etc/init.d/oracle-free-26ai start

lsnrctl status
(Optional) Enable the database to start at boot:

sudo systemctl enable oracle-free-26ai
(Optional) Open port 1521 to allow remote access:

sudo firewall-cmd --zone=public --add-port=1521/tcp --permanent

sudo firewall-cmd --reload

Step 6: Add the AD User to the Database

Oracle Database does not support NSS, so AD users must be added manually as external users. Connect to the database as sysdba and run the following, substituting your AD username and domain name in uppercase:

ALTER SESSION SET CONTAINER=FREEPDB1;

CREATE USER (aduser) IDENTIFIED EXTERNALLY AS '(aduser)@(DOMAIN.NAME)';

GRANT create session TO (aduser);

GRANT SELECT ON v_$session TO (aduser);

Verify the user was created correctly:

select username, password, external_name from dba_users where password = 'EXTERNAL';

Client Setup

After the server is set up, the next step is to set up the client.

Step 7: Client Setup on Windows

Step 8: Client Setup on Linux

Step 7: Client Setup on Windows

Configure DNS on the Windows machine and join it to the AD domain.
Download the latest Oracle Instant Client package for Windows from the Oracle website and install it.
Add the Oracle client installation path to the system PATH environment variable. Create a new system environment variable named TNS_ADMIN and set its value to the Oracle network admin folder path (substitute your own installation path):

Oracle-client-installation-path\network\admin
Create the Kerberos configuration file in the Oracle network admin folder. Copy the contents of /etc/krb5.conf from the server machine and save it as krb5.conf.
Create the network configuration file sqlnet.ora in the Oracle network admin folder. Specify Kerberos as the authentication method, provide the path to the Kerberos configuration file, and set the credential cache location to use the Microsoft Windows in-memory cache.

Key settings include:
- SQLNET.AUTHENTICATION_SERVICES= (kerberos5pre, kerberos5)
- SQLNET.KERBEROS5_CONF: Path to the krb5.conf file
- SQLNET.KERBEROS5_CONF_MIT = TRUE
- SQLNET.FALLBACK_AUTHENTICATION = TRUE
- SQLNET.KERBEROS5_CC_NAME=OSMSFT://
Log in to Windows as the AD user, open a command prompt, and test the connection:

sqlplus /@(server-hostname):(port)/(service-name)

If configured correctly, you will connect without entering a password.

Step 8: Client Setup on Linux

Prepare the Linux client machine: set the hostname and DNS, install the Server Suite agent, and join the machine to the AD zone, following the same process as for the server machine (Steps 1–2).
Download the Oracle Instant Client packages for Linux from the Oracle website. You need three packages: the basic package, the SQL*Plus package, and the tools package. Select the versions appropriate for your Linux distribution.
Install the packages using rpm:

sudo rpm -ivh (basic-package.rpm) (sqlplus-package.rpm) (tools-package.rpm)
Add the Oracle client directory to your PATH in ~/.bashrc and reload it.
Create the sqlnet.ora network configuration file in the Oracle network admin folder. Specify Kerberos as the authentication method and provide the path to /etc/krb5.conf, which is already managed by the Server Suite agent.

Key settings include:
- SQLNET.AUTHENTICATION_SERVICES= (kerberos5pre, kerberos5)
- SQLNET.KERBEROS5_CONF = /etc/krb5.conf: This file is managed automatically by the Delinea Server Suite agent.
- SQLNET.KERBEROS5_CONF_MIT = TRUE
- SQLNET.FALLBACK_AUTHENTICATION = TRUE
Log in as the AD user and test the connection:

sqlplus /@(server-hostname):(port)/(service-name)

If configured correctly, you will connect without entering a password.