12c: ORA-28040 After Upgrade: No Matching Authentication Protocol

12c: ORA-28040 After Upgrade: No Matching Authentication Protocol

APPLIES TO

Oracle Net Services - Version 12.1.0.1 to 12.2.1.2.0 [Release 12.1 to 12.2]
Oracle Database - Enterprise Edition - Version 12.2.0.1 to 12.2.0.1 [Release 12.2]
Oracle Database - Enterprise Edition - Version 12.1.0.2 to 12.1.0.2 [Release 12.1]
Oracle Database - Standard Edition - Version 12.2.0.1 to 12.2.0.1 [Release 12.2]
Information in this document applies to any platform.


SYMPTOMS

Following an upgrade to the version 12c database, the following errors are thrown
when attempting to connect from remote clients:

ORA-28040: No matching authentication protocol exception

CHANGES

This is a new installation of the version 12 database.


CAUSE

是由于12c中允许登录的默认设置引起的。This issue is caused by the default setting for allowed logon version in the 12 database.

Note that the SQLNET.ALLOWED_LOGON_VERSION parameter has been deprecated in 12c.
That parameter has been replaced by these:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=n
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=n

Version 12.1:

至少11,除非这些参数,显式在服务器端的sqlnet.ora文件中设置。The default setting for the new parameters is 11.
Any client that attempts to connect must be at version 11 or higher 
unless these parameters are explicitly set in the server side sqlnet.ora file.

Version 12.2 note:

这就是原因。The default for the SQLNET.ALLOWED_LOGON_VERSION_SERVER setting 
has changed in 12.2 from 11 to 12.

场景:服务器为12.2.0.1版本,Windows 7上为oracle 11.2 版本,Pl/SQL Developer连接报错。
解决:在服务器端,显示设置$ORACLE_HOME/network/admin/sqlnet.ora文件。

See:  https://docs.oracle.com/database/122/DBSEG/configuring-authentication.htm#DBSEG33223
Important note for 12.2:  If your client is not at least 11.2.0.3 or includes the CPUOCT2012 patch 
you will not be able to use the 12 setting.
Typically, the sqlnet.ora file that would be referenced by the database is located in RDBMS_HOME/network/admin.


SOLUTION

Set these parameters at the lowest version level that is required in your environment.
For example:  All clients at version 10 or higher would require this setting:

 SQLNET.ALLOWED_LOGON_VERSION_SERVER=10
 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

第二个参数设置的原因。Note that SQLNET.ALLOWED_LOGON_VERSION_CLIENT would be necessary on the server 
when the database is 'acting' as a client.  Such as the case of a database link.

不需要重启监听器。There is  no need to restart either the listener or the database after this change.  See additional notes below.


--鸽子--