My Oracle Support Banner

Centrally Managed User CMU Authentication Fails ORA-28044: unsupported directory type ORA-12638: Credential retrieval failed (Doc ID 2507340.1)

Last updated on APRIL 17, 2023

Applies to:

Advanced Networking Option - Version 18.1.0.0.0 and later
Information in this document applies to any platform.

Symptoms

Trying to set up centrally managed users to authenticate using Microsoft active directory Kerberos, able to connect with a kerberos ticket obtained manually with okinit and an externally identified user but not able to connect with a user identified globally mapped to an AD group.

ORA-28044: unsupported directory type

ORA-12638: Credential retrieval failed

 

 

Changes

On Windows Server 2016

Followed the guide here on configuring CMU
https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/integrating_mads_with_oracle_database.html#GUID-9739D541-FA9D-422A-95CA-799A4C6F488D

For Kerberos Authentication,
- Service Principle was created for oracle and keytab extracted and can connect using this keytab
- sqlnet.ora configured with
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5)
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
- OS_AUTHENT_PREFIX set to null
-User created IDENTIFIED EXTERNALLY AS .....
I can get a kerberos ticket using okinit and can connect to the database this way, so I believe kerberos auth is configured correctly

For CMU,
-I have created dsi.ora as
DSI_DIRECTORY_SERVERS = (<host name>:<tcp port>:<tcps port>)
DSI_DIRECTORY_SERVER_TYPE = AD
-Created a wallet with the created AD service account created for oracle, containing
Requested Certificates:
Subject: .............................
User Certificates:
Oracle Secret Store entries:
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
ORACLE.SECURITY.USERNAME
Trusted Certificates:
Subject:..................................

I am able to do an ldapbind using the wallet credentials

-Set ldap parameters
ldap_directory_access = PASSWORD
ldap_directory_sysauth = YES

I encounter the error when trying to map a directory group to a global database user as
CREATE USER <username> IDENTIFIED GLOBALLY AS ‘CN=..............................’;

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.