Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

What is the correct SQLNET.AUTHENTICATION_SERVICES setting to use with Kerberos. Is it KERBEROS5 or

MblixterJun 7 2017 — edited Dec 11 2017

Trying to setup Oracle 12c to use Kerberos and I'm having some problems getting the steps in the documentation to work?

In https://docs.oracle.com/database/121/DBSEG/asokerb.htm#DBSEG060 it is stated to set "SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)" and "SQLNET.KERBEROS5_CC_NAME=OSMSFT:". But doing so results in an error when trying to connect using SQLPLUS:

**************************************************************************

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: Configuration name is "C:\TMP\krb5.conf"

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: Credential Cache Pathname is "OSMSFT:"

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: Error code for Client Initialization "4"

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: ZTK Context after initialization "00000000002FF240"

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: ztk_client_init_context() failed.

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: Internal Kerberos error for client init "Unknown credential cache type"

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: failed

(5848) [07-JUN-2017 12:23:39:997] nauztk5ainit: exit

(5848) [07-JUN-2017 12:23:39:997] nau_gse: service initialization function failed

(5848) [07-JUN-2017 12:23:39:997] nau_gse: failed with error 12641

**************************************************************************

Changing "SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)" to "SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5PRE)" makes it work and I can connect using SQLPLUS and Kerberos.

However, here Parameters for the sqlnet.ora File it's mentioned to use "SQLNET.KERBEROS5_CC_NAME=MSLSA" but that also fails:

**************************************************************************

(5196) [07-JUN-2017 12:26:40:833] nauztk5ainit: Configuration name is "C:\TMP\krb5.conf"

(5196) [07-JUN-2017 12:26:40:833] nauztk5ainit: Credential Cache Pathname is "MSLSA"

(5196) [07-JUN-2017 12:26:40:849] nauztk5ainit: Error code for Client Initialization "4"

(5196) [07-JUN-2017 12:26:40:849] nauztk5ainit: ZTK Context after initialization "000000000033F240"

(5196) [07-JUN-2017 12:26:40:849] nauztk5ainit: ztk_client_init_context() failed.

(5196) [07-JUN-2017 12:26:40:849] nauztk5ainit: Internal Kerberos error for client init "No credentials cache found"

(5196) [07-JUN-2017 12:26:40:849] nauztk5ainit: failed

(5196) [07-JUN-2017 12:26:40:849] nauztk5ainit: exit

(5196) [07-JUN-2017 12:26:40:849] nau_gse: service initialization function failed

(5196) [07-JUN-2017 12:26:40:849] nau_gse: failed with error 12641

**************************************************************************

Changing it to "SQLNET.KERBEROS5_CC_NAME=MSLSA:"(added a colon at the end) makes it work and I can connect using SQLPLUS and Kerberos.

Questions:

- What is the correct setting for "SQLNET.KERBEROS5_CC_NAME" for 12c and 11g2. Is it "MSLSA:" or "OSMSFT:" and what's the difference between the two?

- What is the correct setting for "SQLNET.AUTHENTICATION_SERVICES" for 12c and 11g2. Is it KERBEROS5 or KERBEROS5PRE and what's the difference between the two?

Any ideas?

Locked Post

New comments cannot be posted to this locked post.

Locked on Jan 8 2018

Added on Jun 7 2017

#database-security, #database-security-general

5 comments

4,174 views