I'm pretty new on Oracle but I'm trying to configure Kerberos to realize SSO on Oracle in a mixed environment, shortly:

- Windows REALM, implemented as standard Domain, based on Win2000Srv Domain Controller acting as KDC, and using Active Directory as credential store.

- Win2000Pro or winXP as clients, with full Oracle 10g client software installed.

- Linux Suse 9.1 hosting the Oracle 10g RDBMS.

I think I've successfully configured Kerberos for interoperability on Oracle. In fact using the Oracle utility "okinit" on the XP client I get the ticket from the Win2000Srv KDC, then typing:

- sqlplus /@service_name

I'm able to connect to the oracle instance running on Linux without provide any credential.

Of course this is not very useful for Single Sign On. What I would like to do is to use the initial tiket provided by the KDC, during the standard windows logon process, this way will avoid the need to launch the Oracle utility "okinit" and re-type the user password. But each time I use this tiket running "sqlplus /@service_name" I get

"ERROR:
ORA-12638: Credential retrieval failed"

The same happens if I try to use the MIT Kerberos utility "klist": I get a regular initial tiket but I'm not able to connect to Oracle server and I get the same error.

The Encryption type is forced to DES on Active directory for all the involved users, because this is the one used by Oracle for kerberos.

Does anyone know something about the problem? Am I doing some trivial error? Any Idea about the difference between the tikets got with OKINIT and KINIT?

I'm not able to find any resource on the matter apart the standard Oracle advanced security guide, which don't mention nothing about the problem and some document basically derived from that.

Thanks in advance for every help and suggestion!

Gianni