12cR2: ORA-28040: No Matching Authentication Protocol (Doc ID 1957995.1)

Applies to:

Oracle Net Services - Version 12.1.0.1 to 12.2.1.2.0 [Release 12.1 to 12.2]

Oracle Database - Enterprise Edition - Version 12.2.0.1 to 12.2.0.1 [Release 12.2]

Oracle Database - Enterprise Edition - Version 12.1.0.2 to 12.1.0.2 [Release 12.1]

Oracle Database - Standard Edition - Version 12.2.0.1 to 12.2.0.1 [Release 12.2]

Information in this document applies to any platform.

Symptoms

Following an upgrade to the version 12c database, the following errors are thrown when attempting to connect from remote

clients:

ORA-28040: No matching authentication protocol exception

Changes

 This is a new installation of the version 12 database.

Cause

This issue is caused by the default setting for allowed logon version in the 12 database.

Note that the SQLNET.ALLOWED_LOGON_VERSION parameter has been deprecated in 12c.

That parameter has been replaced by these:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=n

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=n
Version 12.1:

The default setting for the new parameters is 11.  Any client that attempts to connect must

be at version 11 or higher unless these parameters are explicitly set in the server side sqlnet.ora file.

Version 12.2 note:
The default for the SQLNET.ALLOWED_LOGON_VERSION_SERVER setting has changed in 12.2 from 11 to 12.

See:  https://docs.oracle.com/database/122/DBSEG/configuring-authentication.htm#DBSEG33223
Important note for 12.2:  If your client is not at least 11.2.0.3 or includes the CPUOCT2012 patch you will not be able

to use the 12 setting.

Typically, the sqlnet.ora file that would be referenced by the database is located in RDBMS_HOME/network/admin.

Solution

Set these parameters at the lowest version level that is required in your environment. 

For example:  All clients at version 10 or higher would require this setting:

 

 SQLNET.ALLOWED_LOGON_VERSION_SERVER=10

 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
Note that SQLNET.ALLOWED_LOGON_VERSION_CLIENT would be necessary on the server when the database is 'acting' as a client.  Such as the case of a database link.

There is  no need to restart either the listener or the database after this change.  See additional notes below.

 

See the following reference for more information about these settings.
https://docs.oracle.com/database/121/NETRF/sqlnet.htm#NETRF2010

 

Important Notes: 

1)  The sqlnet.ora file that is referenced by the database is located in RDBMS_HOME/network/admin.  This is by default.  It will not read the sqlnet.ora file in GRID_HOME/network/admin unless TNS_ADMIN is explicitly set to point there.

2)  While the version 12 documentation shows settings for this parameter as low as 8, this does not override the rules of Interoperability or Certification.  See the following: 

Note 207303.1 Client / Server  Interoperability Support Matrix for  Different Oracle Versions.  

 In other words, setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 8, 9 or 10 does not mean that version of client is going to be fully supported by Oracle Support.

3)  Occasionally, we find it is necessary to restart the cluster in a RAC environment.  This is atypical but may be necessary. Check the ENV at srvctl and confirm if $TNS_ADMIN is set.

 

Important change in version 12.2:

The default value is 12 or 12a. Note the following implications of setting the value to 11or 12:

The setting SEC_CASE_SENSITIVE_LOGON=FALSE must not be used. If it is set as FALSE, then user accounts and secure roles become unusable. The SEC_CASE_SENSITIVE_LOGON initialization parameter enables or disables case sensitivity for passwords.

To take advantage of the password protections introduced in Oracle Database 11g, users must change their passwords.

See also: 

Note 2075401.1 The new Exclusive Mode default for password-based authentication in Oracle 12.2 conflicts with case-insensitive
password configurations. All user login fails with ORA-1017 after upgrade to 12.2

https://docs.oracle.com/database/122/NETAG/configuring-profiles.htm#NETAG091