SQLNET.FALLBACK_AUTHENTICATION does not work when the Database Server is the failure point
(Doc ID 2865374.1)
Last updated on JULY 20, 2024
Applies to:
Oracle Database - Enterprise Edition - Version 11.2.0.4 and laterInformation in this document applies to any platform.
Symptoms
You have Kerberos Authentication configured and working.
You also have the SQLNET.FALLBACK_AUTHENTICATION set to TRUE (default is FALSE).
The configuration setting are:
Client:
SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5PRE,ALL)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
Server:
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5,KERBEROS5PRE)
SQLNET.FALLBACK_AUTHENTICATION=TRUE
Kerberos authenticated users are set to use an external user account while password based authentication is using a different database account.
Now you are testing FALLBACK of the Authentication from Kerberos to Password Authentication.
You do this by intentionally setting an invalid keytab file on the Database side such and setting the service principle name to not match the actual server hostname.
However, the client connection does NOT fallback to password authentication and instead fails with an error:
Changes
You are testing SQLNET.FALLBACK_AUTHENTICATION or you have a failure with Kerberos at the Database level.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |