Home » RDBMS Server » Security » SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 (Oracle 12.2, Windows2008R2)
SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670681] Thu, 19 July 2018 06:42 Go to next message
sagar.sandbhor
Messages: 5
Registered: July 2018
Junior Member
Hi All,

I am trying to create the duplication of the database on Windows 2008R2. I had created ORGDB during installation of the Oracle 12.2.
See Properties of ORGDB -> security:
Administrator, OracleServiceORGDB is part of this.

When I am setting ORACLE SID to ORGDB, SQLNET.AUTHENTICATION_SERVICES = (NTS) or SQLNET.AUTHENTICATION_SERVICES = (NONE) I am able to connect to the DB.

remote_login_passwordfile='EXCLUSIVE'

I have created the pwd.ora file with a complex password(include a-z, A-Z, 0-9 and special char).
***************************************************************************************************
C:\Users\Administrator>set ORACLE_SID=ORGDB

C:\Users\Administrator>sqlplus

SQL*Plus: Release 12.2.0.1.0 Production on Thu Jul 19 16:52:27 2018

Copyright (c) 1982, 2016, Oracle. All rights reserved.

Enter user-name: sys as sysdba
Enter password:

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL>
***************************************************************************************************

To recreate duplicate(MYDUP) the DB I have copied the datafile, created init.ora and created password file PWD$SID.ora.
I check the service created as NT SYSTEM\OracleService$SID

Check the properties of MYDUP->security:
Created with Administrator

When I set SQLNET.AUTHENTICATION_SERVICES = (NTS) I am able to connect to DUP DB sucessfully.

***************************************************************************************************
C:\Users\Administrator>set ORACLE_SID=MYDUP

C:\Users\Administrator>sqlplus

SQL*Plus: Release 12.2.0.1.0 Production on Thu Jul 19 16:52:27 2018

Copyright (c) 1982, 2016, Oracle. All rights reserved.

Enter user-name: sys as sysdba
Enter password:

Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL>
***************************************************************************************************

SQLNET.AUTHENTICATION_SERVICES = (NONE)
***************************************************************************************************
C:\Users\Administrator>set ORACLE_SID=MYDUP

C:\Users\Administrator>sqlplus

SQL*Plus: Release 12.2.0.1.0 Production on Thu Jul 19 16:56:13 2018

Copyright (c) 1982, 2016, Oracle. All rights reserved.

Enter user-name: sys as sysdba
Enter password:
ERROR:
ORA-01017: invalid username/password; logon denied


Enter user-name:
***************************************************************************************************

The MYDUP is created with NT SERVICE\OracleServiceMYDUP.

Here is my questions:
1. Do windows prefer NTS over NONE as Authentication service, does it recommended by Windows/Oracle?
2. if authentication set as NONE and it is connecting to ORGDB and why it is not connecting to MYDUP?
3. Is there any way I can connect to the MYDUP by providing administrator rights?
4. I even tried to add the user to the ora_dba but still unable to login to MYDUP. Could you please let me know what is missing here?


Help appreciated.

Thanks....
Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670682 is a reply to message #670681] Thu, 19 July 2018 09:29 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

1. Either can be used, it depends if the OS account is secure or not, if it is shared or not, and what is your security policy.
2. If NONE and EXCLUSIVE, password file is used, check it/them, verify you have the same password in both DB, maybe a typo when you created the second password file... (these are some avenues, others are possible). Have a look at McPwfile.
3. Which administrator rights are you talking? DB or OS? Question is not clear.
4. If authentication is set to NONE OS groups are not involved. They come into play only if authentication is NTS.

Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670683 is a reply to message #670682] Thu, 19 July 2018 10:47 Go to previous messageGo to next message
sagar.sandbhor
Messages: 5
Registered: July 2018
Junior Member
Hey Michel Thanks for replying,

1. Agree, I am currently login as Windows Administrator and have all rights to perform the operation.
2. I have cross check the password for both the DB and it is correct. As I login with NTS authentication on MYDUP.
3. Here I am talking about Windows Administrator rights and not DB.
4. Agree, in that case, it should allow to login with the same password of primary database.

I have check below parameters:
Computer Management->local User and Groups-> Groups->ora_dba
Administrator, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM

Also check OS DB Administrators-Computer:
Administrator, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM

Check the services:
OracleServiceMYDUP ->Started -> Manual->NT SERVICE\OracleServiceMYDUP10

During installation, I set Oracle Home user as Exiting Windows User(Administrator)

I read in some forum with Windows 2008r2 onwards uses Virtual Account. I am confused with OS and DB default user.
Provided above info, If I set authentication as NONE, what login credentials used in this case?

Administrator for OS is had ora_dba rights, then it is not allowing me to login for Duplicate DB.

-Thanks
Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670684 is a reply to message #670683] Thu, 19 July 2018 11:45 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
I think that the group ora_dba is not enough when you using release 12: it applies only to pre-release 12 databases. See this, on my PC with two release 12 database ORacle Homes installed:
C:\Users\john>whoami -groups

GROUP INFORMATION
-----------------

Group Name                                                    Type             SID                                           Attributes
============================================================= ================ ============================================= ==================================================
Everyone                                                      Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114                                     Group used for deny only
jw\ORA_ASMADMIN                                               Alias            S-1-5-21-1889652306-443339906-4187214991-1017 Mandatory group, Enabled by default, Enabled group
jw\ORA_ASMDBA                                                 Alias            S-1-5-21-1889652306-443339906-4187214991-1014 Mandatory group, Enabled by default, Enabled group
jw\ORA_ASMOPER                                                Alias            S-1-5-21-1889652306-443339906-4187214991-1015 Mandatory group, Enabled by default, Enabled group
jw\ORA_CLIENT_LISTENERS                                       Alias            S-1-5-21-1889652306-443339906-4187214991-1010 Mandatory group, Enabled by default, Enabled group
jw\ora_dba                                                    Alias            S-1-5-21-1889652306-443339906-4187214991-1016 Mandatory group, Enabled by default, Enabled group
jw\ORA_GRID_LISTENERS                                         Alias            S-1-5-21-1889652306-443339906-4187214991-1008 Mandatory group, Enabled by default, Enabled group
jw\ORA_INSTALL                                                Alias            S-1-5-21-1889652306-443339906-4187214991-1005 Mandatory group, Enabled by default, Enabled group
jw\ORA_OPER                                                   Alias            S-1-5-21-1889652306-443339906-4187214991-1009 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_DBA                                       Alias            S-1-5-21-1889652306-443339906-4187214991-1006 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_OPER                                      Alias            S-1-5-21-1889652306-443339906-4187214991-1007 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_SYSBACKUP                                 Alias            S-1-5-21-1889652306-443339906-4187214991-1011 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_SYSDG                                     Alias            S-1-5-21-1889652306-443339906-4187214991-1012 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_SYSKM                                     Alias            S-1-5-21-1889652306-443339906-4187214991-1013 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home2_SYSBACKUP                                 Alias            S-1-5-21-1889652306-443339906-4187214991-1026 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home2_SYSDG                                     Alias            S-1-5-21-1889652306-443339906-4187214991-1027 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home2_SYSKM                                     Alias            S-1-5-21-1889652306-443339906-4187214991-1028 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraGI12Home1_SYSBACKUP                                 Alias            S-1-5-21-1889652306-443339906-4187214991-1021 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraGI12Home1_SYSDG                                     Alias            S-1-5-21-1889652306-443339906-4187214991-1022 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraGI12Home1_SYSKM                                     Alias            S-1-5-21-1889652306-443339906-4187214991-1023 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544                                  Group used for deny only
BUILTIN\Users                                                 Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

C:\Users\john>
It is the group ORA_OraDB12Home1_DBA group that gives me SYSDBA capability to the databases running off that home.
Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670687 is a reply to message #670683] Thu, 19 July 2018 12:15 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Quote:
2. I have cross check the password for both the DB and it is correct. As I login with NTS authentication on MYDUP.

NTS does not care about Oracle passwords, so the fact you can connect with NTS does not validate the password:
SQL> host type %ORACLE_HOME%\network\admin\sqlnet.ora
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.

SQLNET.AUTHENTICATION_SERVICES = (NTS)
...

SQL> conn sys/toto as sysdba
Connected.
***SYS***> conn sys/whatever as sysdba
Connected.
***SYS***> conn sys/anotherone as sysdba
Connected.
***SYS***>

So how did you check the password?

Quote:
3. Here I am talking about Windows Administrator rights and not DB.

If authentication is set to NONE, OS groups/privileges are not checked and don't care.

Quote:
4. Agree, in that case, it should allow to login with the same password of primary database.
If password file is correct.


In short, if authentication is NTS OS groups are used and only them to authenticate, if authentication is NONE then DB passwords are used and only them.

Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670696 is a reply to message #670687] Fri, 20 July 2018 04:33 Go to previous messageGo to next message
sagar.sandbhor
Messages: 5
Registered: July 2018
Junior Member
I had written down in notepad and copy the password. Also tried with "sqlplus sys/password as sysdba"

I am fine with remaining points.

if authentication is NONE then DB passwords are used and only them.

I have seen in some forum that if you logged in as NT system to command prompt it will allow to login the MYDUP. So without using it is there any way to do same?
Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670697 is a reply to message #670684] Fri, 20 July 2018 04:37 Go to previous messageGo to next message
sagar.sandbhor
Messages: 5
Registered: July 2018
Junior Member
here is output of - whoami -groups

Group Name Type SID Attributes

============================================================= ================ ============================================= ======================
=========================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_ASMDBA Alias S-1-5-21-526688176-3877096626-3997236983-1033 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ora_dba Alias S-1-5-21-526688176-3877096626-3997236983-1037 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_DUP7_DBA Alias S-1-5-21-526688176-3877096626-3997236983-1039 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OPER Alias S-1-5-21-526688176-3877096626-3997236983-1028 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OraDB12Home1_SYSBACKUP Alias S-1-5-21-526688176-3877096626-3997236983-1030 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OraDB12Home1_SYSDG Alias S-1-5-21-526688176-3877096626-3997236983-1031 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OraDB12Home1_SYSKM Alias S-1-5-21-526688176-3877096626-3997236983-1032 Mandatory group, Enabl
ed by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabl
ed by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabl
ed by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabl
ed by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabl
ed by default, Enabled group

C:\Users\Administrator>

I am unable to see the ORA_OraDB12Home1_DBA in groups, but when i see local user and group i can see the group as ORA_OraDB12Home1_DBA.
I tried to add the administrator to this group and try to login but unsuccessful.

Thanks!!!
Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670698 is a reply to message #670696] Fri, 20 July 2018 06:42 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Quote:
I had written down in notepad and copy the password.

Which does not validate what is actually inside the password file.

Quote:
Also tried with "sqlplus sys/password as sysdba"

And you said it does not work (when using NONE as using NTS does not validate any password and so "work" is irrelevant).


Quote:
I have seen in some forum that if you logged in as NT system to command prompt it will allow to login the MYDUP.

In which cases? If credentials are appropriate for the configuration you have then yes, otherwise no.

Quote:
So without using it is there any way to do same?

What "it" is?

Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670701 is a reply to message #670698] Fri, 20 July 2018 11:53 Go to previous messageGo to next message
sagar.sandbhor
Messages: 5
Registered: July 2018
Junior Member
my password was abcA1b#.
When tried with the NTS its working and when it set to NONE, not working.

I checked ORGDB is created along with the installation of Oracle(12.2). Created with the Oracle Home user as Existing windows user.
Does that make the difference for MYDUP?

I am new to Oracle DB, so might not getback to all the questions.
Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670703 is a reply to message #670701] Fri, 20 July 2018 14:54 Go to previous messageGo to next message
Michel Cadot
Messages: 68625
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Quote:
When tried with the NTS its working and when it set to NONE, not working.

I give up, you didn't read what I said and repeated and even SHOWED you.

[Updated on: Fri, 20 July 2018 14:56]

Report message to a moderator

Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #674479 is a reply to message #670703] Tue, 29 January 2019 05:37 Go to previous message
sparowlite
Messages: 1
Registered: January 2019
Junior Member
nice information. Keep sharing.
Previous Topic: Audit DROP user by SYS
Next Topic: Oracle Database-Microsoft Active Directory Integration
Goto Forum:
  


Current Time: Thu Mar 28 15:01:06 CDT 2024