Hey everyone, I'm dealing with a really annoying issue with Kerberos EUS (Enterprise User Security) authentication for Oracle, and I'm hoping you can help. For some reason, it stopped working without any changes on our side. Just to give you an overview, we're using Oracle 19c on a Linux server, accessing it from a Windows jump host via SQL*Plus. Both systems are synced time-wise and the same domain user is being used for connections.
Initially, we faced ORA-12631 errors on the Windows side. I validated the SPN mappings in Active Directory and confirmed that Kerberos tickets are being issued correctly from both environments. Local authentication on the Linux server works fine with Kerberos, so I suspect there's a difference in how the Windows client is handling it.
After changing the sqlnet.ora file to use a different Kerberos ticket cache on the Windows client, the error changed to ORA-01017 (invalid username/password). This suggests the ticket is being sent correctly, but the Oracle database isn't able to map the identity properly, or there's a permission issue.
I'm scratching my head over why the Linux client works perfectly while the Windows one doesn't, especially since both are in the same AD setup. Any insights on what I should check next? Thanks for your help!
1 Answer
You might want to check for any recent updates on your Domain Controllers that could be affecting Kerberos. Run this command: `Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Kdc"` and see if you have `KdcUseClientAddresses` and `KdcUseClientNetBIOSAddresses` set to 1. If so, this is likely causing the problem with Kerberos tickets being improperly formed which leads to authentication failures with Oracle.
To fix it, change the `KdcUseClientNetBIOSAddresses` to 0, restart the KDC service, then have your Windows clients log out and log back in for new tickets.
Thanks for the suggestion! I ran the command and confirmed those settings. Do you have any official MS documentation that discusses this issue?