ORA-28040: No matching authentication protocol – SQLNET.ALLOWED_LOGON_VERSION_SERVER

Ah, an old client is trying to connect to Oracle 12c (presumably)… ;)
Also “ORA-03134: Connections to this server version are no longer supported” can occur.

This actually implies that the authentication protocols use between client and server do not match. In Oracle 12c, the authentication protocol uses SHA-2 encryption algorithm by default, where older clients use SHA-1. So when an older client is used with defaults, the server will not accept the connection.

The best option would be upgrading the client, but when older dll’s are used (like ojdbc14.jar and you can not change this), this is a problem. The database instance can be told to accept older clients and use the older SHA-1 encryption algorithm.

SQLNET.ALLOWED_LOGON_VERSION_SERVER

This is done in 12c with the SQLNET.ALLOWED_LOGON_VERSION_SERVER option in the SQLNET.ORA in the database home (not grid home). Using an older client (or ojdbc14.jar), this setting must be set to match the client version. Using the ojdbc6.jar is fine. (Sorry, I did not test the ojdbc5.jar version). Oracle says: “To set the minimum authentication protocol allowed when connecting to Oracle Database instances.”

When this parameter is set to ‘8’, it permits most versions and allows any combination of the password_values in DBA_USERS to be 10G, 11G, and 12C.

A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the value of password_version to be 12C.

Get your complete description about this parameter here: SQLNET.ALLOWED_LOGON_VERSION_SERVER

SQLNET.ALLOWED_LOGON_VERSION_CLIENT

What about the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter?

At first I thought this should be setting to be set, like ‘which (lowest) client version is allowed’, but that was not the case. Oracle says: “To set the minimum authentication protocol allowed for clients (…) when connecting to Oracle Database instances.”

According to the documentation, it seems this is used for database links. If you want to connect from 12c to 10g via a database link, the [12c] SQLNET.ALLOWED_LOGON_VERSION_CLIENT must be set to 10, because the 12c instance acts a client which want to connect to the 10g instance.

SQLNET.ALLOWED_LOGON_VERSION

The older SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated (from alert.log): “Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.”

Happy connecting!

Tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *