My Oracle Support Banner

SQLNET.FALLBACK_AUTHENTICATION does not work when the Database Server is the failure point (Doc ID 2865374.1)

Last updated on JULY 20, 2024

Applies to:

Oracle Database - Enterprise Edition - Version 11.2.0.4 and later
Information in this document applies to any platform.

Symptoms

You have Kerberos Authentication configured and working.

You also have the SQLNET.FALLBACK_AUTHENTICATION set to TRUE (default is FALSE).

The configuration setting are:

 Client:
 SQLNET.AUTHENTICATION_SERVICES = (KERBEROS5PRE,ALL)
 SQLNET.FALLBACK_AUTHENTICATION=TRUE

 Server:
 SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5,KERBEROS5PRE)
 SQLNET.FALLBACK_AUTHENTICATION=TRUE


 Kerberos authenticated users are set to use an external user account while password based authentication is using a different database account.


 Now you are testing FALLBACK of the Authentication from Kerberos to Password Authentication.
 You do this by intentionally setting an invalid keytab file on the Database side such and setting the service principle name to not match the actual server hostname.
 However, the client connection does NOT fallback to password authentication and instead fails with an error:







Changes

 You are testing SQLNET.FALLBACK_AUTHENTICATION or you have a failure with Kerberos at the Database level.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.