Ora 28040 no matching authentication protocol ошибка

I am trying to connect my grails project to Oracle databse(Oracle 12c) in windows(8) system. However, whenever I run my application I get following exception :

Caused by: org.apache.commons.dbcp.SQLNestedException: 
Cannot create PoolableConnectionFactory (ORA-28040: 
No matching authentication protocol)

Caused by: 
java.sql.SQLException: ORA-28040: 
No matching authentication protocol

According to internet suggestion I also tried editing my *.ora file but it is not working.

I added following snippet in sqlnet.ora file :

SQLNET.ALLOWED_LOGON_VERSION=10
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
SQLNET.ALLOWED_LOGON_VERSION_SERVER=10

Here i tried assigning (10,11,12) but neither of them is working.

Can anyone please help me with this ?

First of all the difference between ojdbc driver’s versions depends on the version of the JDK you use drivers with.
So ojbdc14 is suitable for JDK version 1.4, ojdbc5 for JDK 1.5, and so on.

I’m currently using ojdbc7.jar with a 12c database version since my environment uses a JDK 1.7, so upgrade this first.

Having said that, in the Parameters for the sqlnet.ora File for Oracle 12c release page you can read:

Purpose

To set the minimum authentication protocol allowed for clients, and
when a server is acting as a client, such as connecting over a
database link, when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the
authentication protocol, not the Oracle Database release.

If the version does not meet or exceed the value defined by this
parameter, then authentication fails with an ORA-28040: No matching
authentication protocol error.

The default for this property is 11.

Allowed values are 8,10,11,12 and 12a.

The recommended value is 12. Try this out.

Moreover there is a useful and interesting solution Database Administrators Stack Exchange

I am trying to connect my grails project to Oracle databse(Oracle 12c) in windows(8) system. However, whenever I run my application I get following exception :

Caused by: org.apache.commons.dbcp.SQLNestedException: 
Cannot create PoolableConnectionFactory (ORA-28040: 
No matching authentication protocol)

Caused by: 
java.sql.SQLException: ORA-28040: 
No matching authentication protocol

According to internet suggestion I also tried editing my *.ora file but it is not working.

I added following snippet in sqlnet.ora file :

SQLNET.ALLOWED_LOGON_VERSION=10
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10
SQLNET.ALLOWED_LOGON_VERSION_SERVER=10

Here i tried assigning (10,11,12) but neither of them is working.

Can anyone please help me with this ?

When I tried to connect to a 12.1 database from an Oracle client 9.2, it failed with ORA-28040: No matching authentication protocol.

I knew there could be some interoperability problems between versions, especially when the version gap is big like this case, Oracle 9i client connect to 12c, 18c or 19c database. But I didn’t expect ORA-28040 to show up.

For those users who want to use Oracle client 11g to connect to database 19c, but failed with ORA-28040, I’ll talk about it in the last section.

Same error may occur while you’re using old Oracle JDBC drivers, say ojdbc14.jar or below, to connect a 12c or 18c database. I’ll talk more about Oracle JDBC driver with ORA-28040 later in the post.

Let’s see the content of ORA-28040.

• Description

ORA-28040: No matching authentication protocol

• Cause

There was no acceptable authentication protocol for either client or server.

• Action

The administrator should set the values of the SQLNET.ALLOWED_LOGON_VERSION_SERVER and SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameters, on both the client and on the server, to values that match the minimum version software supported in the system. This error ORA-28040 is also raised when the client is authenticating to a user account which was created without a verifier suitable for the client software version. In this situation, that account’s password must be reset, in order for the required verifier to be generated and allow authentication to proceed successfully.

Server or Clients?

According to the above explanation about ORA-28040, we should provide compatible authentication protocol for either client or server to accept. But now the question is: Should we change server configuration or just upgrade Oracle clients?

In fact, it depends on what privileges you have. For database administrators, you can change the server configuration to solve all users’ problems at once. As for developers, fixing or upgrading Oracle clients is the only choice you can do, so as to match authenticated protocol of Oracle 12c databases.

For better understanding different applicable situations, I will split the solutions against ORA-28040 into two main parts in this post, the first part is for server side, the other one is for client side.

1. Server Side Solutions
2. Client Side Solutions
3. Oralce Client 11g Connects to Database 19c

Server Side Solutions to ORA-28040

If you have the right to change the network configuration on the server side, then you have chances to solve ORA-28040 for all users in minutes. As a matter of fact, most developers do not have the right.

There’re 2 scenarios of interoperability between new and old versions.

1. Old Client to New Server
2. New Client to Old Server

We introduce the server-side solutions for each scenarios below.

Old Client to New Server

When your users refused to upgrade their old clients to connect a higher version of database, say 12c, ORA-28040 would become a frequent and typical error in your daily job.

Said clients could be an Oracle 9i server which acts as a client to connect to an Oracle 12c database server like below. ORA-28040 was thrown by sqlplus as usual:

After searching for some other solutions, I found an Oracle documentation about «Parameters for the sqlnet.ora File» is very helpful to explain ORA-28040. In which, it explains in what situation we should use SQLNET.ALLOWED_LOGON_VERSION_SERVER to be compatible with both ends of authentication protocol.

Purpose

To set the minimum authentication protocol allowed when connecting to Oracle Database instances.

Usage Notes

The term VERSION in the parameter name refers to the version of the authentication protocol, not the Oracle Database release.

If the client version does not meet or exceed the value defined by this parameter, then authentication fails with an ORA-28040: No matching authentication protocol error or an ORA-03134: Connections to this server version are no longer supported error.

Here is my solution to ORA-28040: Adding SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 to sqlnet.ora in 12.1 database server (not the old client).

[oracle@test ~]$ vi $ORACLE_HOME/network/admin/sqlnet.ora
...
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8


Please note that, you should use sqlnet.ora at database-level, not grid-level if you’re in a RAC environment according to MOS Doc ID 562589.1. And I have confirmed that.

As for taking effect, you don’t have to restart listener, the new incoming connections will apply the new values. Just make sure the setting is correct.

This time, our connections have no ORA-28040 shown up. Moreover, we can migrate data from 9i to 12c over a database link.

For some users who saw ORA-01017: invalid username/password; logon denied need DBA’s interventions.

New Client to Old Server

From the opposite direction, if you want to connect from a 12.1 to a 9.2 database, say database link connections, you should also set:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8


in sqlnet.ora to prevent unmatched authenticated protocol error ORA-28040.

For your reference, I quote some text about SQLNET.ALLOWED_LOGON_VERSION_CLIENT below. Same reason here for ORA-28040, it’s a compatible issue:

Purpose

To set the minimum authentication protocol allowed for clients, and when a server is acting as a client, such as connecting over a database link, when connecting to Oracle Database instances.

Further reading: DB Link, How and Why

The connections from 9i to 12c can be worked around by the solutions provided in this post. In contrast, 12c to 9i usually fails due to ORA-03134, not ORA-28040.

ORA-03134: Connections to this server version are no longer supported.

I talked about the solution to ORA-03134 in another post:
How to Resolve ORA-03134: Connections to this server version are no longer supported.

Client Side Solutions to ORA-28040

Developers who don’t act as DBA may have no right to change SQLNET.ORA on the server side. Therefore, changing or upgrading their own clients is probably the only solution to ORA-28040.

From now on, we begin to focus on clients. Especially for those who are using Oracle JDBC drivers.

Additionally, some client tools that have authentication protocol problem also need to be configured and how we handle it.

1. Oracle JDBC Driver
2. SQL Developer
3. PL/SQL Developer
4. TOAD for Oracle
5. SQuirreL SQL Client

Oracle JDBC Driver

Since Oracle 12.1 database claims that it is compatible with ojdbc6.jar for JDK 6 or ojdbc7.jar for JDK 7, so ojdbc14.jar for JDK 1.4 or below is no longer matching for clients to connect through the authenticated protocol of a 12.1 database. That’s why you see ORA-28040 in java.sql.SQLException error stack.

More information for JDBC developers can be found at Oracle Database JDBC Developer’s Guide: Version Compatibility for Oracle JDBC Drivers.

SQL Developer

If you were using old SQL developer like this, you will see ORA-28040 whenever you connect to a 12.1 database.

Basically, SQL developer is a self-contained software, you can unzip the software and start to use it. That is to say, SQL developer usually uses its own JDK including JDBC driver to run itself.

Solution

Even though I see no chance to replace Oracle JDBC driver in the same old SQL developer, you can always download the newest SQL developer with newer Oracle JDBC driver from Oracle website. So as to solve ORA-28040.

Don’t worry about the connection settings, the new SQL developer will prompt you the migration option in your first time open.

Further reading: How to Connect MySQL from SQL Developer

PL/SQL Developer

PL/SQL developer is an install-based software. Generally, it leverages your native Oracle client to find necessary configuration file. Furthermore, it uses Oracle Call Interface (OCI) of your native Oracle client to connect Oracle databases.

That is, if your native Oracle client is old enough, you will get ORA-28040 like this:

Solution

The solution to ORA-28040 in PL/SQL developer is to replace the old OCI with a newer one. First of all, you have to download an Oracle instant client which contains corresponding OCI library. The proper version should be at least 11g.

In our case, I downloaded and unzipped a basic package of Oracle instant client for windows 32-bit to C:\oracle, the filename is instantclient-basic-nt-11.2.0.4.0.zip for instance.

Please make sure that at least Microsoft Visual Studio 2005 Redistributable has been installed in your machine before using Oracle instant client 11.2.

Step 1: Open Preferences Dialog

Click on the function menu and search for Tools -> Preferences to open the dialog.

Step 2: Go to «Connection» Section

Click on Oracle -> Connection to check current Oracle Home.

Step 3: Change OCI Library

Point to new unzipped instant client’s OCI. Please note that, you have to provide the whole absolute path including the filename, not just only the directory.

Step 4: Test the Connection

Restart PL/SQL developer and logon an Oracle 12c database.

That’s how we fight against ORA-28040 in PL/SQL Developer.

Toad for Oracle

Toad for Oracle is also an installer-based software that is mainly used for database administration and sometimes for development. Same error ORA-28040 may occur in Toad for Oracle, if the underlying network substrate is the same old Oracle 9.2.

As we can see, the tool utilized the underlying Oracle client 9.2 to connect a 12c database. That’s why we saw ORA-28040 alert in Toad for Oracle 9.7.

Solution

The solution to ORA-28040 in Toad for Oracle is pretty straightforward, just install a newer Oracle client, at least 11g for Toad to utilize of.

Please note that, Oracle client and Oracle instant client are different, the former is an install-based and full-fledged software, the later is a portable and partial-functioned package.

In this case, I downloaded and installed Oracle client 11.2.0.1 for windows 32-bit from Oracle website. Consequently, the newly installed Oracle client creates some registry parameters like ORACLE_HOME and TNS_ADMIN as environment variables for tools like Toad to recognize. So that, the restarted Toad will automatically detect the new Oracle client for us.

As we can see, the new Oracle client is found by Toad and ready to be used to match the authentication protocol of an Oracle 12c database.

If the new Oracle client is not detected and selected, you should use the drop-down list to choose the right one to use. Nevertheless, if there’s no new Oracle client in the drop-down list, you should check required registry parameters of the new Oracle client, such as ORACLE_HOME and TNS_ADMIN in Windows.

SQuirreL SQL Client

SQuirreL SQL Client is a pure Java-based software that can access databases given proper JDBC drivers. In this tool, I used ojdbc14.jar to connect a 12c database, the error is the same, ORA-28040: No matching authentication protocol.

Solution

How we handle it? This time, we don’t have to upgrade the software like SQL developer to solve ORA-28040, because this tool allows us to replace Oracle JDBC Driver with a newer version. In this case, we replace the old driver ojdbc14.jar with newer ojdbc7.jar.

First of all, you have to choose and download a proper JDBC driver that matches the authenticated protocol of 12c database at Oracle JDBC and UCP Downloads page. For 12c databases, either ojdbc6.jar or ojdbc7.jar Oracle JDBC driver is proper to solve ORA-28040.

Step 1: Delete old driver

Delete the old driver which is ojdbc14.jar.

Step 2: Add a new driver

Click on Add button.

Select ojdbc7.jar in the file browser

The new driver is selected as shown below.

Step 3: Test the connection

After replacing the old Oracle JDBC driver with a newer one, we can now test the connection again.

The connection is successful, no longer ORA-28040.

Oralce Client 11g Connects to Database 19c

Recently, we received some feedback from users who want to connect to database 19c from client 11g, but failed with ORA-28040.

After some investigations, we found only one release of 11g client can reach database 19c. It’s Oracle client 11.2.0.4 which is the last release of 11g.

Oracle client 11.2.0.1 —X—> Oracle database 19c
Oracle client 11.2.0.2 —X—> Oracle database 19c
Oracle client 11.2.0.4 ——-> Oracle database 19c

Either Oracle client 11.2.0.4 or instant client 11.2.0.4 is able to reach Oracle database 19c.

SQLNET parameters ALLOWED_LOGON_VERSION_CLIENT & ALLOWED_LOGON_VERSION_SERVER issue in Oracle 12c.
Set the value to the minimum authentication protocol allowed while making connection to Oracle Database instances.

Note: Version refer to the authentication protocol its not mean that oracle release version.

Error:

Caused by: java.sql.SQLException: ORA-28040: No matching authentication protocol”
ORA-28040: No matching authentication protocol error
ORA-03134: Connections to this server version are no longer supported error.


Solution:
1. Set the following value in SQLNET.ora file in Oracle database Server and client both:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=8
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8

Note: value permit all most values for authentication protocol.

2. You can also check DBA_USERS table.

select username,password_versions from DBA_USERS
--Password Version has value 10G, 11G, and 12C


Example:
Suppose application is using client version 9i then for connectivity need to set following parameters as follows:

SQLNET.ORA FILE : SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8.
DBA_USERS table have column PASSWORD VERSION its value should be 8.


SQLNET.ALLOWED_LOGON_VERSION_CLIENT
minimum authentication protocol allowed for clients and used when a server is acting as a client.

Example:
If ORacle database 12c has database link to Oracle 10g database for some information then need to set the paremeter in sqlnet.ora of oracle 12c because it act as client of oracle 10g database.
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

Note: Version refer to the authentication protocol its not mean that oracle release version.

Value of Parameter

12a for Oracle Database 12c 12.1.0.2 or later
12 for the critical patch updates CPUOct2012 and later Oracle Database 11g authentication protocols
11 for Oracle Database 11g authentication protocols ----- (default)
10 for Oracle Database 10g authentication protocols
8 for Oracle8i authentication protocol


Example:

Solution:

Set these parameters at the lowest version level that is required in your environment. For example:  All clients at version 10 or higher would require this setting:

SQLNET.ALLOWED_LOGON_VERSION_SERVER=10
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=10

Following are the setting for using lower version. Set at both side Server or Client:

--Set 8 for Password Versions 10G, 11G and 12c
SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 or 11
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=8 or 11
---Set 12 for the 11G and 12c password Versions
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12
---Set the 12c for the only 12c Password Versions
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12a
SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12a

Note:
Keep the SEC_CASE_SENSITIVE_LOGON=TRUE in a 12.2 instance
if the sqlnet.ora file set the following parameter:
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12 or 12a (12.2 default is 12)