My Oracle Support Banner

KERBEROS CONNECTIONS ERROR WITH 1017 WHEN SEPS IS CONFIGURED (Doc ID 2377029.1)

Last updated on MARCH 12, 2021

Applies to:

Advanced Networking Option - Version 11.2.0.4 to 12.2.0.1 [Release 11.2 to 12.2]
Information in this document applies to any platform.

Symptoms

When a Kerberos client is on a system that has SEPS (secure external password store) configured an outbound Kerberos connection will error with 1017. When SEPS is disabled outbound Kerberos connections work fine. This tends to happen when the Kerberos client is running out of a database home and that database has local running jobs that depend on SEPS. A workaround for the Kerberos client in that situation is to use a client sqlnet.ora that does not have SEPS configured. The more serious aspect of this incompatibility is a dblink that uses Kerberos credentials. In that situation a Kerberos client would connect to a source database and invoke a dblink, the server then creates an outbound Kerberos connection to a remote target server. That outbound attempt then fails with a 1017 error if SEPS is configured. If you disable SEPS on the source server then Kerberos dblinks work fine.

select user from dual@<linkname>;
select user from dual@<linkname>
*
ERROR at line 1:
ORA-01017: invalid username/password; logon denied
ORA-02063: preceding line from TARGET

Changes

 NA

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.