ORA-12638錯誤的解決
最近在SQL連接的時候,無緣無故就報ORA-12638錯誤。應該是權限的問題,但是似乎是哪裏都沒有進行修改,很費解。到網上搜索了一下,發現這個問題的解決方法很簡單,但是主要是需要理解AUTHENTICATION_SERVICES參數的意義,在這裏記錄一下。
ORA-12638: credential retrieval failed tips
Oracle Error Tips by Stephanie F.
The Oracle docs note this on the ora-12638 error:
ORA-12638: Credential retrieval failed
Cause: The authentication service failed to retrieve the credentials of a user.
Action: Enable tracing to determine the exact error.
Cause: The authentication service failed to retrieve the credentials of a user.
Action: Enable tracing to determine the exact error.
On the Oracle Technology Network Forums, a user is able to successfully resolve ORA-12638 after some help from repliers. The original question was referring to a problem installing Oracle Designer, in which
the user was thrown ORA-12638, when testing the connection, before the installation had even finished.
A replier pointed out to the user that ORA-12638 is "an Oracle database error, indicating that the Designer client was not able to connect to the database."
Though sometimes ORA-12638 can be resolved by restarting the database services in cases where Oracle on Windows is being used, although for this user it was not helpful.
However, the following direction was given, and once administered, was a successful resolution to ORA-12638:
Please check the sqlnet.ora file. Change the following entry and try, this will work.
Original Entry - SQLNET.AUTHENTICATION_SERVICES= (NTS)
Modified Entry - SQLNET.AUTHENTICATION_SERVICES= (NONE)
從含義上來說,AUTHENTICATION_SERVICES= (NTS) 該參數值僅對Windows有用,且表示即可以用口令驗證,又可以用OS驗證來登錄Oracle,而(NONE)僅支持口令驗證。但是爲什麼設置爲NTS時會造成登錄錯誤,這個問題就比較複雜了,可以看一下以下這篇博客的論述:
*******************************************************************
前段時間在2003上裝測試數據庫, 有同事在連接時說報此錯誤, 我大致觀察揣摩的一下,發現一時間無法找到答案, 之後發現把數據庫的SQLNET.ORA文件中的此項SQLNET.AUTHENTICATION_SERVICES 註釋掉即可克服此錯誤,但具體原因也說不清楚,沒解決此問題,心裏一直疙瘩着;前兩天想起此問題,用GOOGLE搜索了一下,在ITPUB
上發現一篇文章,說是把客戶端的SQLNET.ORA文件給刪除即可,試了一下,果真如此。但文章中的那人也解釋不清楚原因,後上METALINK問,ORACLE的技術人員給了兩篇文章讓我先閱讀。看完後作測試,才知道,對NTS的認證方式又多了一層瞭解。
ora-12638 錯誤的剖析
Site(A, Server) Windows 2003(已成爲域控制器), oracle9206(opatch5)
Site(B, Client) windows 環境(2000,2003),oracle 數據庫或客戶端
Site(B, Client) windows 環境(2000,2003),oracle 數據庫或客戶端
Site(A),Site(B) 的oraclenetworkadmin目錄下都有文件sqlnet.ora
該文件中都有這一項 SQLNET.AUTHENTICATION_SERVICES= (NTS)
該文件中都有這一項 SQLNET.AUTHENTICATION_SERVICES= (NTS)
現象1、當Site(B)以域domain (此域不同於site(A)的域)身份登錄機器時,並且Site(A),Site(B) 中的sqlnet.ora 都有這一項 SQLNET.AUTHENTICATION_SERVICES 時,則會出現:
Warning: You are no longer connected to ORACLE.
SQL>
SQL>
現象2、此時,若把客戶端Site(B) 的 sqlnet.ora文件中的這一項 SQLNET.AUTHENTICATION_SERVICES 還是被註釋掉#SQLNET.AUTHENTICATION_SERVICES=
(NTS) 或 SQLNET.AUTHENTICATION_SERVICES= (NONE), 則均可以正常連接數據庫
現象3、當客戶端Site(B)以本機身份登錄時,則不論 Site(B) 的 sqlnet.ora文件中的這一項 SQLNET.AUTHENTICATION_SERVICES = (NTS) 還是被註釋掉#SQLNET.AUTHENTICATION_SERVICES=
(NTS) 或 SQLNET.AUTHENTICATION_SERVICES= (NONE), 均可以正常連接數據庫
原因:Site(A)是域控制器(vsts.com),若Site(B)也以域(domain)身份登錄機器,並且Site(A),Site(B)都採用操作系統認證(NTS)方式,則需要雙方建立信任關係,要不就一方不採用(NTS)認證。如:
SQLNET.AUTHENTICATION_SERVICES=NONE 或#SQLNET.AUTHENTICATION_SERVICES=***
SQLNET.AUTHENTICATION_SERVICES=NONE 或#SQLNET.AUTHENTICATION_SERVICES=***
Oracle 解釋如下:
Either create trust between the two domains or change the client or server SQLNET.AUTHENTICATION_SERVICES such that NTS in not negotiated in the connection handshake. NTS is only negotiated if both client and server have SQLNET.AUTHENTICATION_SERVICES set to NTS.
i.e. SQLNET.AUTHENTICATION_SERVICES=NONE
解決方法:
1、對兩個域建信任關係(沒測試此方法)。
2、數據庫或客戶端的sqlnet.ora 中的 SQLNET.AUTHENTICATION_SERVICES=NONE或被註釋掉 #SQLNET.AUTHENTICATION_SERVICES。
2、數據庫或客戶端的sqlnet.ora 中的 SQLNET.AUTHENTICATION_SERVICES=NONE或被註釋掉 #SQLNET.AUTHENTICATION_SERVICES。
鑑與生產環境,無法對兩個域建信任關係後作測試,無奈!