Skip to Main Content
Forums (stage)

Oracle Database Discussions

Announcement

Testing banner

Oracle Kerberos Authentication got error "114: Key table entry not found"

User_67N9ASep 6 2022 — edited Sep 6 2022

I am not familiar with oracle and Kerberos, and I am trying to configure oracle 19c to use kerberos authentication. And met this error "114: Key table entry not found" in trace file, please kindly help on it, thank you so so much!!!
OracleKerberosFiles.zip (15.74 KB)
environment
windows active directory on windows 2019
oracle 19c server on the same machine as windows active directory (on windows 2019), is it supported to put oracle server and active directory on the same machine?
configuration
sqlnet.ora

# sqlnet.ora Network Configuration File: C:\oracle\server\NETWORK\ADMIN\sqlnet.ora
# Generated by Oracle configuration tools.

# This file is actually generated by netca. But if customers choose to 
# install "Software Only", this file wont exist and without the native 
# authentication, they will not be able to connect to the database on NT.

# SQLNET.AUTHENTICATION_SERVICES= (NTS)

# NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, ONAMES, HOSTNAME)
SQLNET.KERBEROS5_KEYTAB=C:\oracle\keytab2
SQLNET.KERBEROS5_CONF=C:\oracle\krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
#SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=SANDYORACL19C1
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=orcl
SQLNET.AUTHENTICATION_SERVICES=(kerberos5pre,kerberos5)
#should we remove NTS and BEQ here?
SQLNET.KERBEROS5_CLOCKSKEW=6000
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.FALLBACK_AUTHENTICATION=TRUE
SQLNET.KERBEROS5_CC_NAME=C:\Users\Administrator\AppData\Local\Temp\2\krb5cc
#SQLNET.KERBEROS5_CC_NAME=OSMSFT://
DIAG_ADR_ENABLED=off
TRACE_LEVEL_SERVER=16
TRACE_DIRECTORY_SERVER=C:\oracle\trace
TRACE_FILE_SERVER=oracle

krb5.conf

[libdefaults]
default_realm = SANDYTEST.COM
clockskew = 6000
forwardable = yes
[realms]
SANDYTEST.COM = {
kdc = sandyOracle19c1.sandytest.com:88
}
[domain_realm]
.sandytest.com = SANDYTEST.COM  
sandytest.com = SANDYTEST.COM
.SANDYTEST.COM = SANDYTEST.COM  
SANDYTEST.COM = SANDYTEST.COM
.fyre.ibm.com = SANDYTEST.COM  
fyre.ibm.com = SANDYTEST.COM
.FYRE.IBM.COM = SANDYTEST.COM  
FYRE.IBM.COM = SANDYTEST.COM

User I created in active directory: User logon name: orcl, First name and full name: sandyOracle19c1.SANDYTEST.COM
another active directory user: username: oracmu, password: Passw0rd
create user oracmu identified externally as oracmu@SANDYTEST.COM";
grant create session to "oracmu@SANDYTEST.COM";

command output

PS C:\oracle> ktpass.exe -princ orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM -mapuser sandyOracle19c1.SANDYTEST.COM -crypto all -pass Passw0rd -out c:\keytab2
Targeting domain controller: sandyOracle19c1.sandytest.com
Using legacy password setting method
Successfully mapped orcl/sandyOracle19c1.SANDYTEST.COM to orcl.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\keytab2:
Keytab version: 0x502
keysize 75 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x910834c8201cea13)
keysize 75 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x910834c8201cea13)
keysize 83 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xa87f3a337d73085c45f9416be5787d86)
keysize 99 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x0890c460c8fd79c6c965c474fad51df3b7cf42d1aecfbb42606884c99813b3a2)
keysize 83 orcl/sandyOracle19c1.SANDYTEST.COM@SANDYTEST.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x540b6e8e2422fcd31c6b9788031c5f2f)
PS C:\oracle> setspn -Q orcl/sandyOracle19c1.SANDYTEST.COM
Checking domain DC=sandytest,DC=com
CN=sandyOracle19c1.SANDYTEST.COM,CN=Users,DC=sandytest,DC=com
        orcl/sandyOracle19c1.SANDYTEST.COM

Existing SPN found!
PS C:\oracle> setspn -X
Checking domain DC=sandytest,DC=com
Processing entry 0
found 0 group of duplicate SPNs.

PS C:\oracle> okdstry

Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 05-SEP-2022 23:51:12

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : C:\oracle\krb5.conf.
PS C:\oracle> okinit oracmu

Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 05-SEP-2022 23:51:21

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : C:\oracle\krb5.conf.
Password for oracmu@SANDYTEST.COM:
PS C:\oracle> oklist

Kerberos Utilities for 64-bit Windows: Version 19.0.0.0.0 - Production on 05-SEP-2022 23:51:27

Copyright (c) 1996, 2019 Oracle.  All rights reserved.

Configuration file : C:\oracle\krb5.conf.
Ticket cache: FILE:C:\Users\Administrator\AppData\Local\Temp\2\krb5cc
Default principal: oracmu@SANDYTEST.COM

Valid starting     Expires            Service principal
09/05/22 23:51:23  09/06/22 09:51:23  krbtgt/SANDYTEST.COM@SANDYTEST.COM
        renew until 09/06/22 23:51:21
PS C:\oracle> klist

Current LogonId is 0:0xde9c5

Cached Tickets: (2)

#0>     Client: administrator @ SANDYTEST.COM
        Server: krbtgt/SANDYTEST.COM @ SANDYTEST.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 9/5/2022 19:47:05 (local)
        End Time:   9/6/2022 5:47:05 (local)
        Renew Time: 9/12/2022 19:47:05 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: SANDYORACLE19C1

#1>     Client: administrator @ SANDYTEST.COM
        Server: host/sandyoracle19c1.sandytest.com @ SANDYTEST.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
        Start Time: 9/5/2022 19:47:05 (local)
        End Time:   9/6/2022 5:47:05 (local)
        Renew Time: 9/12/2022 19:47:05 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: SANDYORACLE19C1
PS C:\oracle> sqlplus /@orcl

SQL*Plus: Release 19.0.0.0.0 - Production on Mon Sep 5 23:51:38 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

ERROR:
ORA-12631: Username retrieval failed


Enter user-name:

oracle trace file

[05-SEP-2022 23:51:38:878] snauk5g_open_file: Opening C:\oracle\keytab2.
[05-SEP-2022 23:51:38:878] snauk5g_open_file: exit
[05-SEP-2022 23:51:38:878] nauk5wj_ktfileint_open: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=1,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=3,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=23,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=18,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Searching for keytype=23 ,kvno=3;Current keytype=17,kvno=3
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] snauk5t_close_file: entry
[05-SEP-2022 23:51:38:878] snauk5t_close_file: exit
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: Returning 114: Key table entry not found
.
[05-SEP-2022 23:51:38:878] nauk5y2_kt_get_entry: exit
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5kz_rd_req_simple: Returning 114: Key table entry not found
.
[05-SEP-2022 23:51:38:878] nauk5kz_rd_req_simple: exit
[05-SEP-2022 23:51:38:878] nauk5ahgetcontext: entry
[05-SEP-2022 23:51:38:878] nauk5ahgetcontext: Using default context.
[05-SEP-2022 23:51:38:878] nauk5ahgetcontext: exit
[05-SEP-2022 23:51:38:878] nauk5kz_rd_req_simple: nauk5kz_rd_req_simple: Key table entry not found

.[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: entry
[05-SEP-2022 23:51:38:878] nauk5fq_free_principal: exit
[05-SEP-2022 23:51:38:878] nauk5a_process_RDREQ: exit
[05-SEP-2022 23:51:38:878] nauk5a3recvclientauth: exit
[05-SEP-2022 23:51:38:878] nauk5avalidate: nauk5a3recvclientauth() failed to process the request
[05-SEP-2022 23:51:38:878] nauk5avalidate: failed
[05-SEP-2022 23:51:38:878] nauk5avalidate: exit
[05-SEP-2022 23:51:38:878] nau_scn: credential validation function failed
[05-SEP-2022 23:51:38:878] nacomsd: entry
[05-SEP-2022 23:51:38:878] nacomfsd: entry
[05-SEP-2022 23:51:38:878] nacomfsd: exit
[05-SEP-2022 23:51:38:878] nacomsd: exit
[05-SEP-2022 23:51:38:878] nau_scn: failed with error 12631
[05-SEP-2022 23:51:38:878] nau_scn: exit
[05-SEP-2022 23:51:38:878] na_csrd: failed with error 12631
[05-SEP-2022 23:51:38:878] na_csrd: exit
[05-SEP-2022 23:51:38:878] nacomer: error 12631 received from Authentication service
[05-SEP-2022 23:51:38:878] nacomer: failed with error 12631
[05-SEP-2022 23:51:38:878] nacomsn: entry
[05-SEP-2022 23:51:38:878] nacomap: entry
[05-SEP-2022 23:51:38:878] nacomap: Packet length    21
Comments
Post Details
Added on Sep 6 2022
#authentication, #general-database-discussions, #oracle, #security
0 comments
135 views