I am configuring my Oracle 11g server to operate with Kerberos, with Windows Active Directory. The clients are Windows, which currently use normal username/password authentication. In the instructions, I must create the user accounts e.g. CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@EXAMPLE.COM';
I wanted the option to fall back to username/password authentication but I can't see how that can work, since by creating the account IDENTIFIED EXTERNALLY, the password field contains "EXTERNAL".
So I can only see this working by having two accounts for each user, one with username/password and the other is Kerberos.
Which means the FALLBACK_AUTHENTICATION does not automatically, I will need to include logic in the client to try to connect on the Kerberos account then if that fails try the old account.
Have I understood correctly or missed something ?