KERBEROS CONNECTIONS ERROR WITH 1017 WHEN SEPS IS CONFIGURED
(Doc ID 2377029.1)
Last updated on MARCH 12, 2021
Applies to:Advanced Networking Option - Version 22.214.171.124 to 126.96.36.199 [Release 11.2 to 12.2]
Information in this document applies to any platform.
When a Kerberos client is on a system that has SEPS (secure external password store) configured an outbound Kerberos connection will error with 1017. When SEPS is disabled outbound Kerberos connections work fine. This tends to happen when the Kerberos client is running out of a database home and that database has local running jobs that depend on SEPS. A workaround for the Kerberos client in that situation is to use a client sqlnet.ora that does not have SEPS configured. The more serious aspect of this incompatibility is a dblink that uses Kerberos credentials. In that situation a Kerberos client would connect to a source database and invoke a dblink, the server then creates an outbound Kerberos connection to a remote target server. That outbound attempt then fails with a 1017 error if SEPS is configured. If you disable SEPS on the source server then Kerberos dblinks work fine.
select user from dual@<linkname>;
select user from dual@<linkname>
ERROR at line 1:
ORA-01017: invalid username/password; logon denied
ORA-02063: preceding line from TARGET
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document