ORA-12638错误的解决
最近在SQL连接的时候,无缘无故就报ORA-12638错误。应该是权限的问题,但是似乎是哪里都没有进行修改,很费解。到网上搜索了一下,发现这个问题的解决方法很简单,但是主要是需要理解AUTHENTICATION_SERVICES参数的意义,在这里记录一下。
ORA-12638: credential retrieval failed tips
Oracle Error Tips by Stephanie F.
The Oracle docs note this on the ora-12638 error:
ORA-12638: Credential retrieval failed
Cause: The authentication service failed to retrieve the credentials of a user.
Action: Enable tracing to determine the exact error.
On the Oracle Technology Network Forums, a user is able to successfully resolve ORA-12638 after some help from repliers. The original question was referring to a problem installing Oracle Designer, in which the user was thrown ORA-12638, when testing the connection, before the installation had even finished.
A replier pointed out to the user that ORA-12638 is "an Oracle database error, indicating that the Designer client was not able to connect to the database."
Though sometimes ORA-12638 can be resolved by restarting the database services in cases where Oracle on Windows is being used, although for this user it was not helpful.
However, the following direction was given, and once administered, was a successful resolution to ORA-12638:
Please check the sqlnet.ora file. Change the following entry and try, this will work.
Original Entry - SQLNET.AUTHENTICATION_SERVICES= (NTS)
Modified Entry - SQLNET.AUTHENTICATION_SERVICES= (NONE)
从含义上来说,AUTHENTICATION_SERVICES= (NTS) 该参数值仅对Windows有用,且表示即可以用口令验证,又可以用OS验证来登录Oracle,而(NONE)仅支持口令验证。但是为什么设置为NTS时会造成登录错误,这个问题就比较复杂了,可以看一下以下这篇博客的论述:
*******************************************************************
前段时间在2003上装测试数据库, 有同事在连接时说报此错误, 我大致观察揣摩的一下,发现一时间无法找到答案, 之后发现把数据库的SQLNET.ORA文件中的此项SQLNET.AUTHENTICATION_SERVICES 注释掉即可克服此错误,但具体原因也说不清楚,没解决此问题,心里一直疙瘩着;前两天想起此问题,用GOOGLE搜索了一下,在ITPUB 上发现一篇文章,说是把客户端的SQLNET.ORA文件给删除即可,试了一下,果真如此。但文章中的那人也解释不清楚原因,后上METALINK问,ORACLE的技术人员给了两篇文章让我先阅读。看完后作测试,才知道,对NTS的认证方式又多了一层了解。
ora-12638 错误的剖析
Site(A, Server) Windows 2003(已成为域控制器), oracle9206(opatch5)
Site(B, Client) windows 环境(2000,2003),oracle 数据库或客户端
Site(A),Site(B) 的oraclenetworkadmin目录下都有文件sqlnet.ora
该文件中都有这一项 SQLNET.AUTHENTICATION_SERVICES= (NTS)
现象1、当Site(B)以域domain (此域不同于site(A)的域)身份登录机器时,并且Site(A),Site(B) 中的sqlnet.ora 都有这一项 SQLNET.AUTHENTICATION_SERVICES 时,则会出现:
SQL> connect
scott/1@lenovo
ERROR:
ORA-12638: Credential retrieval failed
Warning: You are no longer connected to ORACLE.
SQL>
现象2、此时,若把客户端Site(B) 的 sqlnet.ora文件中的这一项 SQLNET.AUTHENTICATION_SERVICES 还是被注释掉#SQLNET.AUTHENTICATION_SERVICES= (NTS) 或 SQLNET.AUTHENTICATION_SERVICES= (NONE), 则均可以正常连接数据库
现象3、当客户端Site(B)以本机身份登录时,则不论 Site(B) 的 sqlnet.ora文件中的这一项 SQLNET.AUTHENTICATION_SERVICES = (NTS) 还是被注释掉#SQLNET.AUTHENTICATION_SERVICES= (NTS) 或 SQLNET.AUTHENTICATION_SERVICES= (NONE), 均可以正常连接数据库
原因:Site(A)是域控制器(vsts.com),若Site(B)也以域(domain)身份登录机器,并且Site(A),Site(B)都采用操作系统认证(NTS)方式,则需要双方建立信任关系,要不就一方不采用(NTS)认证。如:
SQLNET.AUTHENTICATION_SERVICES=NONE 或#SQLNET.AUTHENTICATION_SERVICES=***
Oracle 解释如下:
Either create trust between the two domains or change the client or server SQLNET.AUTHENTICATION_SERVICES such that NTS in not negotiated in the connection handshake. NTS is only negotiated if both client and server have SQLNET.AUTHENTICATION_SERVICES set to NTS.
i.e. SQLNET.AUTHENTICATION_SERVICES=NONE
解决方法:
1、对两个域建信任关系(没测试此方法)。
2、数据库或客户端的sqlnet.ora 中的 SQLNET.AUTHENTICATION_SERVICES=NONE或被注释掉 #SQLNET.AUTHENTICATION_SERVICES。
鉴与生产环境,无法对两个域建信任关系后作测试,无奈!