Kerberos is widely used for secure, password‑less authentication, but in certain environments—particularly on Windows systems with Oracle Advanced Security (OAS) enabled and strict restrictions on external libraries and file‑based caches—traditional Kerberos approaches may not be suitable. These challenges typically arise from limitations of SSPI‑based Active Directory Kerberos or the operational drawbacks associated with MIT Kerberos.
The Oracle ADO.NET data provider addresses these challenges by implementing Microsoft Local Security Authority (MSLSA) based Kerberos support through integration with the fully managed, open-source Kerberos.NET library.
The SSPI Challenge with Oracle Advanced Security
On Windows, Kerberos authentication is commonly accessed through SSPI. However, when OAS is enabled, Oracle requires access to the Kerberos session key that SSPI doesn’t expose.
These failures are systemic to SSPI and cannot be resolved through application or directory configuration alone.
Solving SSPI Limitations with Kerberos.NET
The Oracle ADO.NET data provider eliminates dependency on SSPI by integrating directly with the Kerberos.NET library, a C# implementation of the Kerberos protocol.
By using Kerberos.NET, the provider can:
- Perform Kerberos authentication without SSPI
- Maintain compatibility with Active Directory
- Operate reliably when OAS is enabled
This integration enables MSLSA-based Kerberos authentication that works consistently in secured and locked-down Windows environments.
Advantages Over MIT Kerberos
MIT Kerberos is sometimes used as an alternative, but it relies on a GSS client library and file-based credential cache, both of which may be restricted or prohibited in hardened Windows environments. These dependencies introduce additional security and operational risks, as credential cache files must be carefully protected, managed, and regularly cleaned up—raising complexity and the likelihood of misconfiguration.
By contrast, Kerberos.NET‑based MSLSA support integrates natively with Windows security services and avoids reliance on external GSS libraries or file‑based artifacts altogether.
Conclusion
By combining MSLSA integration with the Kerberos.NET library, the Progress DataDirect Oracle ADO.NET data provider delivers a robust Kerberos solution that:
- Works when SSPI fails under OAS
- Avoids file-based caches and the GSS client library used by MIT Kerberos
- Supports secure, password-less authentication
- Fits seamlessly into hardened Windows environments
For organizations requiring Oracle Advanced Security without sacrificing authentication reliability, Kerberos.NET-powered MSLSA support provides a secure and dependable solution.
To learn how to configure the data provider to use MSLSA-based Kerberos authentication and other supported authentication methods, refer to Authentication.
Ajay Kaushik
Ajay is a Product Owner for Progress DataDirect products and has been associated with Progress since July 2018. In his role, he works closely with the engineering team and collaborates with the marketing, sales, technical support and customer success teams to deliver the best possible data connectivity solutions for customers.