Active Directory Authentication

August 8, 2013 — Matthew Stuart

The Question: How does a utility integrate Active Directory (AD) authentication into GIS?

The Background: Microsoft Active Directory is a database containing user information needed for authentication.  It stores all Windows information, including users, groups, and policies.  The benefit for end-users is that they can authenticate to a multitude of systems, applications, and databases without having to re-type a user name or password.

The Issue: Only Oracle on Windows supports Active Directory natively.  Every other platform has issues with AD, and requires “help”.

An Oracle database holds all the data utilized by GIS.  But if Oracle is on a platform other than Windows (AIX, for example), then AD is not supported.  This provides a more confusing user experience, as GIS users must remember additional usernames and passwords: one to start ArcGIS, and another for database authentication when connecting to Oracle.  This is where Active Directory authentication must be integrated.

The Solution: The goal when you have Active Directory is to get Oracle to authenticate against it.  Oracle’s Relational Database Management System (RDBMS) can be configured for three different types of authentication:

  • Database authentication – This is where Oracle is configured to store usernames and passwords inside the database itself.
  • Operating System Authentication – The Oracle database would pass usernames to the Operating System for authentication.
  • Network Authentication – The Oracle database would use a third-party network service for authentication.  Third party services include Oracle Directory Services Plus.

The solution for providing Active Directory authentication to an Oracle database is “Oracle Directory Services Plus”.  As part of Directory Services Plus, you can use either Oracle Internet Directory or Oracle Virtual Directory.  Both are described below.

Oracle Internet Directory

This approach will utilize Oracle Internet Directory (OID) to perform authentication at the database level.  The Active Directory users will be synchronized into OID.

In this solution, the user logs into ArcGIS and is verified through Active Directory.  At the same time, behind the scenes, OID verifies access to the Oracle Server where the ArcGIS data is stored.  This happens because Active Directory users and roles are synchronized and stored in the Oracle Internet Directory.  Therefore, when a user logs in to ArcGIS, access to the Oracle server is verified by OID.

Oracle Virtual Directory

This option employs Oracle Virtual Directory (OVD) to create a virtual LDAP-compatible directory server.  The virtual directory will be used for database authentication.  The main difference between OID and OVD is that OVD creates a view of Active Directory.  When a user’s identity is verified through Active Directory, he or she is also verified to the Oracle Server through OVD.

The diagram below depicts Oracle Directory Services Plus graphically:

 

 

Data  Esri GIS  Integrations  Oracle  SSP Blogs

We Wrote the Book

The Indispensible Guide to ArcGIS Online

Download It for Free

Matthew Stuart

More by this author
Director, SI Delivery

What do you think?

Leave a comment, and share your thoughts

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


This site uses Akismet to reduce spam. Learn how your comment data is processed.