Re: ORA-12641: Authentication service failed to initalize

From: Frank van Bortel <>
Date: Fri, 14 Mar 2008 20:14:58 +0100
Message-ID: <64439$47daceb2$524b5c40$>

eric wrote:
> On Mar 7, 3:07 pm, Frank van Bortel <>
> wrote:

>> eric wrote:
>>> i've already gone through the steps to obtain my ticket with ktpass,
>>> and setup krb5.conf, krb.conf, and tnsnames.ora.
>>> when i obtain my ticket (it appears to work -- no errors produced).
>>> however, when i go to connect: sqlplus /@kb_oracle i get the following
>>> error: ERROR: ORA-12641: Authentication service failed to initalize,
>>> and get prompted to enter my password? anyone have any ideas??
>>> thanks,
>>> eric
>> Check if you have the correct encryption mechanism; MS Windows 2000
>> uses CRC by default, not MD5. MS Windows 2003 seems to use MD5
>> by default, but better make sure. Oracle wants MD5.
>> More options on, the "Kerberos errors"
>> entry.
>> If the encryption type is the cause, it should become visible
>> when tracing.
>> Just curious - why kerberos on Windows when OS authetication
>> will work? Even AD for LDAP is supported on MS.
>> --
>> Regards,
>> Frank van Bortel
>> Top-posting in UseNet newsgroups is one way to shut me up

> thanks. i'll have a look at that. here's what i was using for ktpass:
> ktpass -princ oraclesrv/oracle11gtest.mydomain.com_at_MYDOMAIN.COM -
> DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
> -pass {my password omitted} -out C:
> \keytab.svcoracle
> we wanted to test out something secure (i'm very light-skilled in dba-
> stuff), and our "team" wanted to use kerberos. i'll ask them why we're
> not using os authentication. do you have an article, or best practices
> to point me in the right direction? (i'd check out your website), but
> i'm at work -- and can't get to it.
> eric

You can do:
klist -k -e -K -t FILE:/<keytab>
to inspect what you actually got from the AD server (what ktpass produced).

Get a ticket, using kinit -k -t <keytab>, and see what gives, using klist.
klist -e will give you the encryption types.


Frank van Bortel

Top-posting in UseNet newsgroups is one way to shut me up
Received on Fri Mar 14 2008 - 14:14:58 CDT

Original text of this message