(學)ORA-12638: credential retrieval failed tips

背景：實施部同事在客戶現場把裝有Oracle的虛擬機器整體複製了一份用於測試。
現象：此後兩台伺服器都不能用了，提示“ORA-12638: credential retrieval failed tips”，當關閉其中一台機器後有些時候會好一會，但偶爾還會報錯，根據錯誤號碼，可以肯定這不是我們程式自身的問題，需要從Oracle或作業系統入手。
解決辦法：原文地址：http://www.blogjava.net/decode360/archive/2008/10/20/286806.html

    所有事情不非像想象那樣難，動動手你也能解決很多問題，^_^。

   最近在SQL串連的時候，無緣無故就報ORA-12638錯誤。應該是許可權的問題，但是似乎是哪裡都沒有進行修改，很費解。到網上搜尋了一下，發現這個問題的解決方案很簡單，但是主要是需要理解AUTHENTICATION_SERVICES參數的意義，在這裡記錄一下。

 

ORA-12638: credential retrieval failed tips 

 

Oracle Error Tips by Stephanie F. 
The Oracle docs note this on the ora-12638 error:

 

ORA-12638: Credential retrieval failed   Cause: The authentication service failed to retrieve the credentials of a user. 
Action: Enable tracing to determine the exact error. 

 

On the Oracle Technology Network Forums, a user is able to successfully resolve ORA-12638 after some help from repliers.  The original question was referring to a problem installing Oracle Designer, in which the user was thrown ORA-12638, when testing the connection, before the installation had even finished.

 

A replier pointed out to the user that ORA-12638 is "an Oracle database error, indicating that the Designer client was not able to connect to the database."Though sometimes ORA-12638 can be resolved by restarting the database services in cases where Oracle on Windows is being used, although for this user it was not helpful. However, the following direction was given, and once administered, was a successful resolution to ORA-12638: Please check the sqlnet.ora file. Change the following entry and try, this will work.

 

Original Entry - SQLNET.AUTHENTICATION_SERVICES= (NTS)
Modified Entry - SQLNET.AUTHENTICATION_SERVICES= (NONE) 

 

  從含義上來說，AUTHENTICATION_SERVICES= (NTS) 該參數值僅對Windows有用，且表示即可以用口令驗證，又可以用OS驗證來登入Oracle，而(NONE)僅支援口令驗證。但是為什麼設定為NTS時會造成登入錯誤，這個問題就比較複雜了，可以看一下以下這篇部落格的論述：

 

 http://zalbb.itpub.net/post/980/48931

 

*******************************************************************

 

  前段時間在2003上裝測試資料庫, 有同事在串連時說報此錯誤, 我大致觀察揣摩的一下,發現一時間無法找到答案, 之後發現把資料庫的SQLNET.ORA檔案中的此項SQLNET.AUTHENTICATION_SERVICES 注釋掉即可克服此錯誤，但具體原因也說不清楚，沒解決此問題，心裡一直疙瘩著；前兩天想起此問題，用GOOGLE搜尋了一下，在ITPUB 上發現一篇文章，說是把用戶端的SQLNET.ORA檔案給刪除即可，試了一下，果真如此。但文章中的那人也解釋不清楚原因，後上METALINK問，ORACLE的技術人員給了兩篇文章讓我先閱讀。看完後作測試，才知道，對NTS的認證方式又多了一層瞭解。

 

ora-12638 錯誤的剖析

 

Site(A, Server) Windows 2003(已成為網域控制站), oracle9206(opatch5) Site(B, Client) windows 環境(2000,2003)，oracle 資料庫或用戶端

 

Site(A),Site(B) 的oraclenetworkadmin目錄下都有檔案sqlnet.ora該檔案中都有這一項 SQLNET.AUTHENTICATION_SERVICES= (NTS)

 

現象1、當Site(B)以域domain (此域不同於site(A)的域)身份登入機器時,並且Site(A),Site(B) 中的sqlnet.ora 都有這一項 SQLNET.AUTHENTICATION_SERVICES 時，則會出現:

 

 SQL> connect scott/1@lenovo ERROR:
ORA-12638: Credential retrieval failed

 

 Warning: You are no longer connected to ORACLE.SQL>

 

現象2、此時,若把用戶端Site(B) 的 sqlnet.ora檔案中的這一項 SQLNET.AUTHENTICATION_SERVICES 還是被注釋掉#SQLNET.AUTHENTICATION_SERVICES= (NTS) 或 SQLNET.AUTHENTICATION_SERVICES= (NONE), 則均可以正常串連資料庫

 

SQL> connect scott/1@lenovo 
Connected.

 

 現象3、當用戶端Site(B)以本機身份登入時,則不論 Site(B) 的 sqlnet.ora檔案中的這一項 SQLNET.AUTHENTICATION_SERVICES = (NTS) 還是被注釋掉#SQLNET.AUTHENTICATION_SERVICES= (NTS) 或 SQLNET.AUTHENTICATION_SERVICES= (NONE), 均可以正常串連資料庫

 

SQL> connect scott/1@lenovo 
Connected.

 

原因：Site(A)是網域控制站(vsts.com),若Site(B)也以域(domain)身份登入機器,並且Site(A),Site(B)都採用作業系統認證(NTS)方式,則需要雙方建立信任關係，要不就一方不採用(NTS)認證。如：SQLNET.AUTHENTICATION_SERVICES=NONE 或#SQLNET.AUTHENTICATION_SERVICES=***

 

Oracle 解釋如下：

 

Either create trust between the two domains or change the client or server SQLNET.AUTHENTICATION_SERVICES such that NTS in not negotiated in the connection handshake. NTS is only negotiated if both client and server have SQLNET.AUTHENTICATION_SERVICES set to NTS.i.e. SQLNET.AUTHENTICATION_SERVICES=NONE

 

解決方案：

 

1、對兩個域建信任關係(沒測試此方法)。
2、資料庫或用戶端的sqlnet.ora 中的 SQLNET.AUTHENTICATION_SERVICES=NONE或被注釋掉 #SQLNET.AUTHENTICATION_SERVICES。