ORA-28040: No matching authentication protocol – SQLNET.ALLOWED_LOGON_VERSION_SERVER

&tldr; in sqlnet.ora :

# the minimum allowed client version to connect to the databases from this home
# set this to accept lower versions of the autentication protocol
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
 
# if you have a database link to a lower version of an Oracle
# set this to that lower version to talk the same authentication protocol
# 12a => 12.1.0.2
# SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12a

# 12a for Oracle Database 12c release 12.1.0.2 or later
# 12 for the critical patch updates CPUOct2012 and later Oracle Database 11g
# 11 for Oracle Database 11g
# 10 for Oracle Database 10g
# 9 for Oracle9i
# 8 for Oracle8i

Ah, an old client is trying to connect to Oracle 12c (presumably)… ;)
Also “ORA-03134: Connections to this server version are no longer supported” can occur.

This actually implies that the authentication protocols use between client and server do not match. In Oracle 12c, the authentication protocol uses SHA-2 encryption algorithm by default, where older clients use SHA-1. So when an older client is used with defaults, the server will not accept the connection.

The best option would be upgrading the client, but when older dll’s are used (like ojdbc14.jar and you can not change this), this is a problem. The database instance can be told to accept older clients and use the older SHA-1 encryption algorithm.

SQLNET.ALLOWED_LOGON_VERSION_SERVER

This is done in 12c with the SQLNET.ALLOWED_LOGON_VERSION_SERVER option in the SQLNET.ORA in the database home (not grid home). Using an older client (or ojdbc14.jar), this setting must be set to match the client version. Using the ojdbc6.jar is fine. (Sorry, I did not test the ojdbc5.jar version). Oracle says: “To set the minimum authentication protocol allowed when connecting to Oracle Database instances.”

When this parameter is set to ‘9’ and ‘8’, it permits most versions and allows any combination of the password_values in DBA_USERS to be 10G, 11G, and 12C. For settings ’11’ and ’10’ to work, CPUOct2012 must have been applied on the 10g client home.

A SQLNET.ALLOWED_LOGON_VERSION_SERVER setting of 12a permits only the value of password_version to be 12C.

Get your complete description about this parameter here: SQLNET.ALLOWED_LOGON_VERSION_SERVER

SQLNET.ALLOWED_LOGON_VERSION_CLIENT

What about the SQLNET.ALLOWED_LOGON_VERSION_CLIENT parameter?

At first I thought this should be setting to be set, like ‘which (lowest) client version is allowed’, but that was not the case. Oracle says: “To set the minimum authentication protocol allowed for clients (…) when connecting to Oracle Database instances.”

According to the documentation, this is used for database links. If you want to connect from 12c to 10g via a database link, the [12c] SQLNET.ALLOWED_LOGON_VERSION_CLIENT must be set to 10 for the 12c database, because the 12c instance must use the older authentication protocol to to the 10g instance.

Compatibility matrix

A compatibility matrix (authentication protocol / client / server versions) can be found in the Parameters for the sqlnet.ora File documentation.

SQLNET.ALLOWED_LOGON_VERSION

The older SQLNET.ALLOWED_LOGON_VERSION parameter is deprecated (from alert.log): “Using deprecated SQLNET.ALLOWED_LOGON_VERSION parameter.”

Happy connecting!

Tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *