Re: ORA-12641: Authentication service failed to initalize

From: Peter Schneider <>
Date: Thu, 12 Nov 2015 17:20:10 +0100
Message-ID: <n22e7p$ld0$>

I would even dare to say that this was many, many suns ago ;-)

So don't hold your breath waiting for an answer.


Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you.                    -- David McCullough Jr.

Am 09.11.2015 um 15:27 schrieb

> Eric,
> I know that this was many, many moons ago, but I am now where you were then. Did you get these problems resolve, and if so, do you recall what the roadblocks were?
> Many thanks.
> On Monday, March 17, 2008 at 9:20:41 AM UTC-4, eric wrote:
>> On Mar 14, 3:14 pm, Frank van Bortel <>
>> wrote:
>>> eric wrote:
>>>> On Mar 7, 3:07 pm, Frank van Bortel <>
>>>> wrote:
>>>>> eric wrote:
>>>>>> i've already gone through the steps to obtain my ticket with ktpass,
>>>>>> and setup krb5.conf, krb.conf, and tnsnames.ora.
>>>>>> when i obtain my ticket (it appears to work -- no errors produced).
>>>>>> however, when i go to connect: sqlplus /_at_kb_oracle i get the following
>>>>>> error: ERROR: ORA-12641: Authentication service failed to initalize,
>>>>>> and get prompted to enter my password? anyone have any ideas??
>>>>>> thanks,
>>>>>> eric
>>>>> Check if you have the correct encryption mechanism; MS Windows 2000
>>>>> uses CRC by default, not MD5. MS Windows 2003 seems to use MD5
>>>>> by default, but better make sure. Oracle wants MD5.
>>>>> More options on, the "Kerberos errors"
>>>>> entry.
>>>>> If the encryption type is the cause, it should become visible
>>>>> when tracing.
>>>>> Just curious - why kerberos on Windows when OS authetication
>>>>> will work? Even AD for LDAP is supported on MS.
>>>>> --
>>>>> Regards,
>>>>> Frank van Bortel
>>>>> Top-posting in UseNet newsgroups is one way to shut me up
>>>> thanks. i'll have a look at that. here's what i was using for ktpass:
>>>> ktpass -princ oraclesrv/oracle11gtest.mydomain...._at_MYDOMAIN.COM -
>>>> DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
>>>> -pass {my password omitted} -out C:
>>>> \keytab.svcoracle
>>>> we wanted to test out something secure (i'm very light-skilled in dba-
>>>> stuff), and our "team" wanted to use kerberos. i'll ask them why we're
>>>> not using os authentication. do you have an article, or best practices
>>>> to point me in the right direction? (i'd check out your website), but
>>>> i'm at work -- and can't get to it.
>>>> eric
>>> You can do:
>>> klist -k -e -K -t FILE:/<keytab>
>>> to inspect what you actually got from the AD server
>>> (what ktpass produced).
>>> Get a ticket, using kinit -k -t <keytab>, and see
>>> what gives, using klist.
>>> klist -e will give you the encryption types.
>>> --
>>> Regards,
>>> Frank van Bortel
>>> Top-posting in UseNet newsgroups is one way to shut me up- Hide quoted text -
>>> - Show quoted text -
>> i tried klist with the syntax you described above, and it didn't work
>> (i get -- Usage: klist <tickets | tgt | purge>)
>> also, i'm still stuck on okinit oraclesrv/
>> it returns the error: okinit: client not found in kerberos database.
>> i'm going to try and set it up in a test lab today and see if i get a
>> different result.
Received on Thu Nov 12 2015 - 17:20:10 CET

Original text of this message