I'll say up front that this is going to be a long post because I plan on explaining my situation and what I've tried up front. It requires some explanation of how our application is secured since that appears to be interfering with SSIS being able to connect.
First the background scenario.
My company writes software that can use MS SQL or Oracle as the back end. I've begun work on an initiative to extract data to a star schema prior to purge in an attempt to improve reporting and analysis available to our customers. Initial plan is to use MS SQL Integration/Analysis/Reporting services for this. Even for our Oracle customers.
The problem symtoms.
I'm attempting to get a connection to Oracle with either an OLE DB or .Net provider. I've tried all available and get a ORA-12638: Credential retrieval failed error on all of them. I validate that a development username and password work using both SQL*Plus and Toad so troubleshooting begins. After some research I find that if I change my line for SQLNET.AUTHENTICATION_SERVICES in my sqlnet.ora file on the server from NTS to NONE that I can now get a connection with the SSIS Connection Manager.
The problem is, our application is secure and having this value set to NONE will never happen in production. I don't use it in dev or qa either. I also found that once I set this to none I could no longer connect with integrated security (EXTERNAL in Oracle speak) with Toad.
How our application is secured and why.
When setting up our application with Oracle as the back end we create only two users. One is the schema and owns all objects. It can't even log into the server though. The other is an external user. This users only rights are to log on and membership in a role. The role can execute stored procedures and nothing more. The application server services for our software run under the username of the external user in Oracle. That way we can use integrated security and no usernames or passwords are hard coded anywhere. Using an external user allows us to have our Windows application server work correctly with Oracle regardless of the OS that is hosting Oracle. This has made it easy on my developers since they just code for using integrated security and we have nearly identical data abstraction layers for both MS SQL and Oracle.
I've tried using the Integrated Security = True option in the .Net provider and still get the same error. I've tried passing / as the username and get the same error. I have a regular Oracle username/password in dev and qa environments that I provide the developers. It has more rights that the external user the services runs under so they can investigate what is happening behind the scenes. It works with Toad and SQL*Plus. When I use it in SSIS CM I get the same error message.
How do you use integrated security with Oracle from SSIS? I don't want to have to tell my boss that SSIS won't work for our Oracle customers.
Which Oracle driver are you using? The Oracle OLE driver, or the Microsoft OLE DB for Oracle?|||I've tried the Microsoft OLE DB Provider for Oracle, the Oracle Provider for OLE DB, and the .Net OracleClient Data Provider. The .Net driver is the only one that has an Integrated Security setting in the Connection Manager GUI. Normally with Oracle if I want to use integrated security I pass in a / for the User ID. If connecting with something like SQL*Plus I would use something like /@.TNSName or possibly /@.TNSName as sysdba if the user is a sysdba on the Oracle instance.
No comments:
Post a Comment