My Oracle Support Banner

ORA-1017 with "sqlplus / as sysdba" on Windows when AES*_SHA1 is selected for Kerberos and Network Security (Windows settings) (Doc ID 2787121.1)

Last updated on APRIL 17, 2023

Applies to:

Oracle Database - Enterprise Edition - Version and later
Information in this document applies to any platform.


You may find the following happens (and only observed at this time on Windows 2016 with Oracle

1. Migration to a new server (as an example, Microsoft Windows 2016), using the following method:

a) Win2016 setup groups via computer management including ora_dba
b) Install Enterprise Edition software then apply APR2021 (Patches DB 32392089, JDK 32494298, OJVM 32427674)
c) Create service on Win2016 server - password required mixed case, number, special character
d) Set Logon to Active Directory OS Account
e) Run Command (DOS) Prompt as administrator.
f) Running "sqlplus / as sysdba" renders error:
   ORA-01017: invalid username/password; logon denied.

2. However, connecting using the password works:
    sqlplus sys/<pwd>@<alias> as sysdba

* This can cause issues if you need to run datapatch or CRS commands which use OS Authentication.

3. Configuration of OS Authentication was done using the directions in:
  a) WIN: OS Authentication - CONNECT AS SYSDBA Without a Password (Doc ID 77665.1)
  b) Authentication of Database Administrators by Using the Operating System
  c) Creating Oracle Home User

4. Configuration files:
sqlnet.ora -->


 Installation of Oracle on a new Windows Server.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.