I am not familiar with oracle and Kerberos, and I am trying to configure oracle 19c to use kerberos authentication. And met this error "114: Key table entry not found" in trace file, please kindly help on it, thank you so so much!!!
OracleKerberosFiles.zip (15.74 KB)
environment
windows active directory on windows 2019
oracle 19c server on the same machine as windows active directory (on windows 2019), is it supported to put oracle server and active directory on the same machine?
configuration
sqlnet.ora
# sqlnet.ora Network Configuration File: C:\oracle\server\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
# SQLNET.AUTHENTICATION_SERVICES= (NTS)
# NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, ONAMES, HOSTNAME)
SQLNET.KERBEROS5_KEYTAB=C:\oracle\keytab2
SQLNET.KERBEROS5_CONF=C:\oracle\krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
#SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=SANDYORACL19C1
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=orcl
SQLNET.AUTHENTICATION_SERVICES=(kerberos5pre,kerberos5)
#should we remove NTS and BEQ here?
SQLNET.KERBEROS5_CLOCKSKEW=6000
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.KERBEROS5_CC_NAME=C:\Users\Administrator\AppData\Local\Temp\2\krb5cc
#SQLNET.KERBEROS5_CC_NAME=OSMSFT://
DIAG_ADR_ENABLED=off
TRACE_LEVEL_SERVER=16
TRACE_DIRECTORY_SERVER=C:\oracle\trace
TRACE_FILE_SERVER=oracle
krb5.conf
[libdefaults]
default_realm = SANDYTEST.COM
clockskew = 6000
forwardable = yes
[realms]
SANDYTEST.COM = {
kdc = sandyOracle19c1.sandytest.com:88
}
[domain_realm]
.sandytest.com = SANDYTEST.COM
sandytest.com = SANDYTEST.COM
.SANDYTEST.COM = SANDYTEST.COM
SANDYTEST.COM = SANDYTEST.COM
.fyre.ibm.com = SANDYTEST.COM
fyre.ibm.com = SANDYTEST.COM
.FYRE.IBM.COM = SANDYTEST.COM
FYRE.IBM.COM = SANDYTEST.COM
User I created in active directory: User logon name: orcl, First name and full name: sandyOracle19c1.SANDYTEST.COM
another active directory user: username: oracmu, password: Passw0rd
create user oracmu identified externally as oracmu@SANDYTEST.COM";
grant create session to "oracmu@SANDYTEST.COM";
command output
PS C:\oracle> ktpass.exe -princ orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM -mapuser sandyOracle19c1.SANDYTEST.COM -crypto all -pass Passw0rd -out c:\keytab2
Targeting domain controller: sandyOracle19c1.sandytest.com
Using legacy password setting method
Successfully mapped orcl/sandyOracle19c1.SANDYTEST.COM to orcl.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\keytab2:
Keytab version: 0x502
keysize 75 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x910834c8201cea13)
keysize 75 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x910834c8201cea13)
keysize 83 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xa87f3a337d73085c45f9416be5787d86)
keysize 99 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x0890c460c8fd79c6c965c474fad51df3b7cf42d1aecfbb42606884c99813b3a2)
keysize 83 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x540b6e8e2422fcd31c6b9788031c5f2f)
PS C:\oracle> setspn -Q orcl/sandyOracle19c1.SANDYTEST.COM
Checking domain DC=sandytest,DC=com
CN=sandyOracle19c1.SANDYTEST.COM,CN=Users,DC=sandytest,DC=com
orcl/sandyOracle19c1.SANDYTEST.COM
Existing SPN found!
PS C:\oracle> setspn -X
Checking domain DC=sandytest,DC=com
Processing entry 0
found 0 group of duplicate SPNs.
PS C:\oracle> okdstry
Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 05-SEP-2022 23:51:12
Copyright (c) 1996, 2019 Oracle. All rights reserved.
Configuration file : C:\oracle\krb5.conf.
PS C:\oracle> okinit oracmu
Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 05-SEP-2022 23:51:21
Copyright (c) 1996, 2019 Oracle. All rights reserved.
Configuration file : C:\oracle\krb5.conf.
Password for oracmu@SANDYTEST.COM:
PS C:\oracle> oklist
Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 05-SEP-2022 23:51:27
Copyright (c) 1996, 2019 Oracle. All rights reserved.
Configuration file : C:\oracle\krb5.conf.
Ticket cache: FILE:C:\Users\Administrator\AppData\Local\Temp\2\krb5cc
Default principal: oracmu@SANDYTEST.COM
Valid starting Expires Service principal
09/05/22 23:51:23 09/06/22 09:51:23 krbtgt/SANDYTEST.COM@SANDYTEST.COM
renew until 09/06/22 23:51:21
PS C:\oracle> klist
Current LogonId is 0:0xde9c5
Cached Tickets: (2)
#0> Client: administrator @ SANDYTEST.COM
Server: krbtgt/SANDYTEST.COM @ SANDYTEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 9/5/2022 19:47:05 (local)
End Time: 9/6/2022 5:47:05 (local)
Renew Time: 9/12/2022 19:47:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: SANDYORACLE19C1
#1> Client: administrator @ SANDYTEST.COM
Server: host/sandyoracle19c1.sandytest.com @ SANDYTEST.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 9/5/2022 19:47:05 (local)
End Time: 9/6/2022 5:47:05 (local)
Renew Time: 9/12/2022 19:47:05 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: SANDYORACLE19C1
PS C:\oracle> sqlplus /@orcl
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Sep 5 23:51:38 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-12631: Username retrieval failed
Enter user-name:
oracle trace file
[05-SEP-2022 23:51:38:878] snauk5g_open_file: Opening C:\oracle\keytab2.
[05-SEP-2022 23:51:38:878] snauk5g_open_file: exit
[05-SEP-2022 23:51:38:878] nauk5wj_ktfileint_open: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=1,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=3,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=23,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=18,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=17,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] snauk5t_close_file: entry
[05-SEP-2022 23:51:38:878] snauk5t_close_file: exit
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Returning 114: Key table entry not found
.
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: exit
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5kz_rd_req_simple: Returning 114: Key table entry not found
.
[05-SEP-2022 23:51:38:878] nauk5kz_rd_req_simple: exit
[05-SEP-2022 23:51:38:878] nauk5ahgetcontext: entry
[05-SEP-2022 23:51:38:878] nauk5ahgetcontext: Using default context.
[05-SEP-2022 23:51:38:878] nauk5ahgetcontext: exit
[05-SEP-2022 23:51:38:878] nauk5kz_rd_req_simple: nauk5kz_rd_req_simple: Key table entry not found
.[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5a_process_RDREQ: exit
[05-SEP-2022 23:51:38:878] nauk5a3recvclientauth: exit
[05-SEP-2022 23:51:38:878] nauk5avalidate: nauk5a3recvclientauth() failed to process the request
[05-SEP-2022 23:51:38:878] nauk5avalidate: failed
[05-SEP-2022 23:51:38:878] nauk5avalidate: exit
[05-SEP-2022 23:51:38:878] nau_scn: credential validation function failed
[05-SEP-2022 23:51:38:878] nacomsd: entry
[05-SEP-2022 23:51:38:878] nacomfsd: entry
[05-SEP-2022 23:51:38:878] nacomfsd: exit
[05-SEP-2022 23:51:38:878] nacomsd: exit
[05-SEP-2022 23:51:38:878] nau_scn: failed with error 12631
[05-SEP-2022 23:51:38:878] nau_scn: exit
[05-SEP-2022 23:51:38:878] na_csrd: failed with error 12631
[05-SEP-2022 23:51:38:878] na_csrd: exit
[05-SEP-2022 23:51:38:878] nacomer: error 12631 received from Authentication service
[05-SEP-2022 23:51:38:878] nacomer: failed with error 12631
[05-SEP-2022 23:51:38:878] nacomsn: entry
[05-SEP-2022 23:51:38:878] nacomap: entry
[05-SEP-2022 23:51:38:878] nacomap: Packet length 21