community
cancel
Showing results for 
Search instead for 
Did you mean: 

Alteryx designer Discussions

Find answers, ask questions, and share expertise about Alteryx Designer.

Oracle Kerberos based Autheticataion (Without Password and UserName)

Meteor

Hello All,

 

Our company migrated to  oracle cloud and it only supports kerberos based authentication. I am not able to find any option in Alteryx 2018.3  to connect via kerberos. 

is there any way to use kerberos authentication for Oracle?  Please suggest

 

Thanks

V

Alteryx
Alteryx

Hi @vepp 

 

Unfortunately we don't officially support Kerberos for Oracle. We haven't tested this, but you could try the OCI or ODBC connection options after setting up your auth per the instructions below:

 

https://docs.oracle.com/cd/E11882_01/network.112/e40393/asokerb.htm#ASOAG9660

https://docs.oracle.com/cd/B28359_01/java.111/b31224/clntsec.htm#CIHCIDHF

Meteor
Thanks @DaveF . Is it possible for Alteryx team to test and confirm. I work in a very restricted environment and we cannot install drivers without proper evidence. It would be great if Alteryx product confirms the possibility then I can ask IT folks to get the drivers based on evidence. @DaveF
Highlighted
Atom

Hi @DaveF,
I tried this and unfortunately it doesn't work.

 

I suspect this is because under the hood Alteryx is ultimately calling the OCISessionBegin function in the Oracle driver and passing in OCI_CRED_RDBMS rather than OCI_CRED_EXT for the "credt" parameter:

  • When credt is OCI_CRED_RDBMS then username and password must be supplied and these credentials are used for authentication with Oracle
  • When credt is OCI_CRED_EXT then username and password must not be supplied and authentication with Oracle is via some external means as per the callers configuration (e.g. defined in sqlnet.ora).

[For details of OCISessionBegin see https://docs.oracle.com/database/121/LNOCI/oci16rel001.htm#LNOCI17121]

 


I think it should be pretty easy for Alteryx to add support for Oracle external authentication...

 

Add an "External Authentication" checkbox to the Oracle Connection dialog (for OCI):

  • When unchecked the User Name and Password fields are enabled and mandatory
  • When checked the User Name and Password fields are cleared and disabled

clipboard_image_0.png

Then when Alteryx is initiating a connection with Oracle via OCI:

  • if External Authentication is false then connect as per current functionality
  • if External Authentication is true then set credt to OCI_CRED_EXT and do not pass username and password (or if calling dpiConn_create then userName and password values must be zero length or NULL and createParams.externalAuth should be set to 1)


Examples using Node.js oracledb (which calls dpiConn_create which then calls OCISessionBegin)

This connection to our Oracle DB (protected with Kerberos authentication) fails:

clipboard_image_1.png

with error "[Error: ORA-01017: invalid username/password; logon denied]".

This is the same error we get when we try to connect to the Oracle databse from Alteryx.


Whereas this connection to our Oracle DB (protected with Kerberos authentication) works:

clipboard_image_2.png

 

i.e. setting externalAuth to true (and not supplying user and password) works due to the Oracle configuration in my environment.

Meteor
Labels