My Oracle Support Banner

ORA-1017 with "sqlplus / as sysdba" on Windows when AES*_SHA1 is selected for Kerberos and Network Security (Windows settings) (Doc ID 2787121.1)

Last updated on JUNE 27, 2021

Applies to:

Oracle Database - Enterprise Edition - Version 12.2.0.1 and later
Information in this document applies to any platform.

Symptoms

You may find the following happens (and only observed at this time on Windows 2016 with Oracle 12.2.0.1):


1. Migration to a new server (as an example, Microsoft Windows 2016), using the following method:

a) Win2016 setup groups via computer management including ora_dba
b) Install 12.2.0.1 Enterprise Edition software then apply APR2021 (Patches DB 32392089, JDK 32494298, OJVM 32427674)
c) Create service on Win2016 server - password required mixed case, number, special character
d) Set Logon to Active Directory OS Account
e) Run Command (DOS) Prompt as administrator.
f) Running "sqlplus / as sysdba" renders error:
   ORA-01017: invalid username/password; logon denied.

2. However, connecting using the password works:
    sqlplus sys/<pwd>@<alias> as sysdba

* This can cause issues if you need to run datapatch or CRS commands which use OS Authentication.


3. Configuration of OS Authentication was done using the directions in:
  a) WIN: OS Authentication - CONNECT AS SYSDBA Without a Password (Doc ID 77665.1)
  b) Authentication of Database Administrators by Using the Operating System
  c) Creating Oracle Home User

4. Configuration files:
sqlnet.ora -->
SQLNET.AUTHENTICATION_SERVICES = (NONE)
SQLNET.NO_NTLM=TRUE
#SQLNET.NO_NTLM=FALSE









Changes

 Installation of Oracle on a new Windows Server.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.