Skip to Main Content
Forums

SQL & PL/SQL

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

ORA-01017: invalid username/password; logon denied when connecting Oracle19c db from java program

sonu_gupta(ram)May 12 2021 — edited May 12 2021

I am able to connect Oracle19 db instance using SQL developer
hostname-localhost
port-1521
servicename- xepdb1
----
I am writing a simple java class - ConnOracle which connects with oracle db and fetch few information.
import java.sql.*;
class ConnOracle{
public static void main(String args[]){
try{
//step1 load the driver class
Class.forName("oracle.jdbc.driver.OracleDriver");
//step2 create the connection object
Connection con=DriverManager.getConnection(
"jdbc:oracle:thin:@//localhost:1521/xepdb1","username","MyPassword");
System.out.println(".. created the connection object..");
//step3 create the statement object
Statement stmt=con.createStatement();
//step4 execute query
ResultSet rs=stmt.executeQuery("select * from accounts");
while(rs.next())
System.out.println(rs.getInt(1)+" "+rs.getString(2));
//step5 close the connection object
con.close();
}catch(Exception e){ System.out.println(e);}
}
}

The program is failing at line
Connection con=DriverManager.getConnection(
"jdbc:oracle:thin:@//localhost:1521/xepdb1","username","MyPassword");
java.sql.SQLException: ORA-01017: invalid username/password; logon denied

what is missing guys , please suggest

Comments

807578
This error suggests a problem with your kerberos config file, specifically a mismatch between supported encryption tpyes. Have you specified the default_tkt_enctypes and/or default_tgs_enctypes keywords in your krb5.conf file? AFAIK, the only common encryptions between MIT krb5 and AD is "des-cbc-crc" and "des-cbc-md5"; if you have something different, this will fail.

Also, I don't know if this applies, but I found this:

Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.

Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )

By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.

Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

from this page: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

Some other possibly useful urls:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/activedir_auth_enabling.html
http://docs.sun.com/app/docs/doc/816-5174/6mbb98ugh?a=view
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

Hope this helps.
807578
I think it might be the scond cause. I had already tried various combinations of "des-cbc-crc" and "des-cbc-md5".

I will ask our IT services guys who look after the AD to see if the can apply this registry fix.

Cheers

Anthony Worrall
1 - 2

Post Details

Added on May 12 2021
#connection, #jdbc, #oracle, #sql
11 comments
23,964 views