Connect / As Sysdba with NTS adapter fails due to username in UPN (Doc ID 562990.1)

Last updated on JANUARY 24, 2017

Applies to:

Oracle Database - Enterprise Edition - Version 9.2.0.8 to 11.2.0.2 [Release 9.2 to 11.2]
Oracle Database - Enterprise Edition - Version 11.2.0.4 to 11.2.0.4 [Release 11.2]
Information in this document applies to any platform.
Checked for relevance on 03-Jan-2014


Symptoms

On Windows when using the NTS authentication adapter by setting sqlnet.ora parameter

SQLNET.AUTHENTICATION_SERVICES = (NTS)

(this is the default and recommended setting) you get the following errors:

ORA-12638: Credential retrieval failed

ORA-12631: Username retrieval failed

When the sqlnet tracing is enabled at level 16 using sqlnet.ora trace parameter

TRACE_LEVEL_SERVER = 16

the following specific error can be seen in the resulting trace file:

 

[10-APR-2008 12:01:21:285] naun5validate: entry
[10-APR-2008 12:01:21:285] naun5validate: driver state is 1
[10-APR-2008 12:01:21:285] nacomrp: entry
[10-APR-2008 12:01:21:285] nacomrp: exit
[10-APR-2008 12:01:21:285] nacomrp: entry
[10-APR-2008 12:01:21:285] nacomrp: exit
[10-APR-2008 12:01:21:285] naun5validate: SSPI: 0x80090308 error in AcceptSecurityContext
[10-APR-2008 12:01:21:285] naun5validate: exit
[10-APR-2008 12:01:21:285] naunval: exit
[10-APR-2008 12:01:21:285] nau_scn: credential validation function failed
[10-APR-2008 12:01:21:285] nacomsd: entry
[10-APR-2008 12:01:21:285] nacomfsd: entry
[10-APR-2008 12:01:21:285] nacomfsd: exit
[10-APR-2008 12:01:21:285] nacomsd: exit
[10-APR-2008 12:01:21:285] nau_scn: failed with error 12631
[10-APR-2008 12:01:21:285] nau_scn: exit
[10-APR-2008 12:01:21:285] na_csrd: failed with error 12631
[10-APR-2008 12:01:21:285] na_csrd: exit
[10-APR-2008 12:01:21:285] nacomer: error 12631 received from authentication service
[10-APR-2008 12:01:21:285] nacomer: failed with error 12631


The interpretation of the above is the AcceptSecurityContext Windows API called by the Oracle module naun5validate throws the error 'SSPI: 0x80090308' which means SEC_E_INVALID_TOKEN.

Changes

 The Oracle service was changed from the default which is to run as LocalSystem.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms