You like unexpected changes and surprises, don’t you? And especially those which aren’t in the patch notes or the docs. I blogged about such changes a few weeks ago. And thanks to the people reading this blog, I learned now about another change with Oracle 19.10.0 on the Windows platform. You may receive now an ORA-12638 on Windows only from Oracle 19.10.0 onwards.
What has been changed?
So at first, thanks to Ernst and Marcus for bringing this to my attention. This is an issue which happens on MS Windows only.
When you have SQLNET.AUTHENTICATION_SERVICES=NTS in your sqlnet.ora, then you may see now ORA-12638: Credential retrieval failed when you for instance select over a database link. Or it happens simply when you try to connect from the client using sqlplus user/pw@servicename.
When you’d do a SQLnet trace, you would spot this message: NO_NTLM set, not local conn, not actively falling back to NTLM even if server might not support kerberos. And this points to the solution. NTLM is the Windows Networks LAN Manager authentication service. Access to it has been disabled by default due to a security fix. So NO_NTLM=TRUE is now the standard from 19.10.0 on for Windows systems.
How to solve it?
I hope you don’t have too many clients.
You will need to set this in your client-side sqlnet.ora:
Then everything should work as it has been worked before.
As many of you commented already, I have not more information about this issue – and especially no further advice. I would like to ask you to open SRs and check with Oracle Support for further guidance as I don’t have the chance to test with all the different client options and possibilities. Thanks!
Further Links and Information
- MOS Note: 2757734.1 – Windows: While Connect to Database Getting ORA-12638 After Applying Jan 2021 WINDBBP 220.127.116.11.210119
- New Parameters in Oracle 19.10.0 – and a default change