CODEWITHSUNDEEP
c#oracle12codp.net-managedora-01017
DerHaifisch
DerHaifisch

Reputation: 486

Oracle.ManagedDataAccess and ORA-01017: invalid username/password; logon denied

I have a challenging situation on one of our servers. I have an ASP.NET MVC 3 application that needs to connect to an Oracle 12c database. It does so using the following connection string:

User ID=myuserid;Password=mypass;Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=<IP ADDRESS>)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME=PDB1)));

I'm also using Oracle's Oracle.ManagedDataAccess, version 4.121.1.0. Each attempt to connect results in the following error:

ORA-01017: invalid username/password; logon denied

I can connect successfully on my desktop with the above credentials. I have the same code on another server, but using an older, un-managed version of the library, and it can connect successfully with the aforementioned credentials. However, the server on which I would like my code to run fails every single time using the same credentials that enable successful connections on different servers.

On the server that fails, I can:

I have checked the TNSNAMES.ORA in all locations and they appear to be correct.

After hitting the database too many times, the account actually locked indicating that I was, indeed, hitting the database and that the database did not like the credentials presented. I checked the applications that previously connected successfully and they also failed with an error indicating that the account was locked. Unlocking the account caused those applications to connect successfully with the exception of the server with which I am having problems.

I am at my wit's end.

Does anyone have any other suggestions as to what might cause this problem?

EDIT:

I installed WireShark on my local computer and on the offending server. I captured communication between my desktop and the database as well as the offending server and the database. I found that my desktop communicated the password:

0080  35 42 31 41 43 34 30 00 01 01 01 0d 0d 41 55 54   5B1AC40......AUT
0090  48 5f 50 41 53 53 57 4f 52 44 01 40 40 43 30 36   H_PASSWORD.@@C06
00a0  37 39 42 31 31 42 46 36 42 41 43 44 39 30 38 44   79B11BF6BACD908D
00b0  37 39 34 34 31 31 46 34 32 33 30 42 34 36 44 36   794411F4230B46D6
00c0  35 36 36 33 31 42 45 39 39 41 36 43 36 37 42 44   56631BE99A6C67BD
00d0  43 33 35 42 42 44 36 44 42 45 37 34 36 00 01 0d   C35BBD6DBE746...

whereas the server with which I am having problems, did not (or at least that's the assumption):

0080  39 33 39 37 32 33 46 00 01 01 01 0d 0d 41 55 54   939723F......AUT
0090  48 5f 50 41 53 53 57 4f 52 44 01 40 40 00 00 00   H_PASSWORD.@@...
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 0d   ................

Does anyone know of a security/configuration setting that would prevent passwords from being transmitted even though they are present in the connection string?

Edit (20180713):

In my particular case, the issue was the FIPS setting.

For those doing research, there are several ways around this.

  1. You can alter the registry setting located at HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled. If FIPS is enabled, the value is 1. If disabled, the value is 0. You do not need to reboot.

  2. Most likely, the reason why you are running into this issue is that FIPS is enabled and you are using the Oracle managed data access library. A solid workaround is to use the unmanaged library. However, to use this library, you need to install the Oracle Instant Client. The client is available for download in the Oracle Data Access Components.

  3. Upgrade your server to Oracle 12.2c. Oracle 12c versions before 12.2c still have this problem.

If you do not have FIPS enabled, the most likely you will need to investigate whether your database has the SEC_CASE_SENSITIVE_LOGON setting set to true. You will need to execute ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE; and then reset all of your passwords.

Upvotes: 16

Views: 40782

Answers (10)

Reaver
Reaver

Reputation: 323

Just for future reference if someone gets the same wrong password/username error it could come from setting the wrong providerName in the database connection string. Removing this part of the string worked for me:

providerName=Oracle.DataAccess.Client

Upvotes: 0

Marce Nolf
Marce Nolf

Reputation: 11

I'm programming in C # with an Oracle xe 11g database, it had never happened to me before, but the new users that I created in the DB, when I tried to connect from the C# application, I got the error: ORA-01017: invalid username / password ; logon denied, only with new users (I did a migration from xe 10g to xe 11g) where migrated users from version 10g worked correctly.

I made this change in my connection string and managed to solve the problem

before

private string cadenaCone = "User Id=AAA111;Password=BBB222;Data Source=CCC333;Connection Timeout=60;";

after

private string cadenaCone = "User Id=AAA111;Password=" + ((char)34).ToString() + "BBB222"+((char)34).ToString()+";Data Source=CCC333;Connection Timeout=60;";

Upvotes: 1

Ergec
Ergec

Reputation: 11824

For some reason (and have no idea why ) my c# code sends my username uppercased even though I write it as lowercase.

For example my username is kullaniciadi you may think uppercase of this would be KULLANICIADI but seems it's not. My server's locale is Turkish (I believe this is the reason) so uppercased version of my username becomes KULLANİCİADİ because in Turkish uppercase of i is İ and uppercase of ı is I. And this results invalid username error.

Had no control over database so can't change any settings on it.

Typing my username all uppercased solved the problem.

Also this only works in combination of accepted answer. If registry key mentioned in accepted answer is set to 1 then this answer may not work.

Spent lots of hours for this stupid thing. I'm writing this down so you won't.

Upvotes: 0

Giovanny Farto M.
Giovanny Farto M.

Reputation: 1598

I was trying with the command:

ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE;

But it didn't work. I had to change it using the SQL Developer in the DBA tab.

  1. Find the Parameter 'sec_case_sensitive_logon' and change its value to 'FALSE' enter image description here
  2. Commit your changes using the button: enter image description here
  3. It will ask the commit strategy and you have to choose both: enter image description here
  4. Click 'Apply'
  5. I don't know if this step is required, but I also changed the user's password. (I set the same password)

In case, you don't know how to open the 'Initialization Parameters':

  1. Open 'Oracle SQL Developer'
  2. Go to 'View' menu and select 'DBA'
  3. Choose a connection
  4. And then click on 'Initialization Parameters'

enter image description here

Upvotes: 0

ameritrash
ameritrash

Reputation: 51

I had the same issue using Entity Framework and the Oracle.ManagedDataAccess.Client, but I had some success by uppercasing my password in the configuration connection string section.

Upvotes: 2

Robert Stokes
Robert Stokes

Reputation: 355

I had the same problem! I didn't try changing the RegKey but I did try changing the web and machine config. This did not work.

What did solve the problem was changing the app pool I was running under!

The App Pool was running under a service account and once I moved it to a new App Pool with just the default system account it started picking up the User ID and Password from the config.

Upvotes: 0

rima ganguly
rima ganguly

Reputation: 1

I had exactly same issue. When I was connecting to database directly from SqlDeveloper, it was working fine. But my application ( built on VB6) failed to connect to Oracle and giving error "ORA-01017 Invalid ID/password.
After turning off, case sensitive login for my database ID, it resolved the issue.

Upvotes: 0

gouderadrian
gouderadrian

Reputation: 431

I did not quite have the same scenario as this case does, but I did have very similar results. What I did to sort out the problem was, I enclosed the password in quotes like the following (VB.NET):

cnx.ConnectionString = "User ID=MYID;Password=""MyPass"" ;Data Source=MyTEST"

or use chr(34) as follows

cnx.ConnectionString = "User ID=MYID;Password="+chr(34)+"MyPass"+chr(34)+" ;Data Source=MyTEST"

Upvotes: 0

John O&#39;Reilly
John O&#39;Reilly

Reputation: 126

Based on Jeff's answer (10/31/2014)...

The registry setting can be set by GPO to only allow FIPS compliant algorithms. Setting this to 0 as indicated may be a violation of some security policies and get overwritten by the GPO. This registry setting controls more than just IIS or ASP.NET.

There is another way that is specific to .NET and may work at the application level. This is much easier to justify compared to modifying the settings of the whole server.

Application specific method:

In your Web.config or App.config file, add the following setting:

<configuration> <!-- Will already be there -->
  <runtime>
    <enforceFIPSPolicy enabled="false"/>
  </runtime>
...  the rest of your .config

If I remember correctly, this must be at the beginning of your config file.

All .NET application method:

Place the setting above in the machine.config file. There will be one for each .NET version and architecture (64 bit/32 bit). There will already be a element, so put the element inside it.

Upvotes: 10

Jeff McConnell
Jeff McConnell

Reputation: 166

I have been struggling with this same issue for a couple of weeks and finally have a resolution. I had to disable the FIPS security policy, try setting this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy] "Enabled"=dword:00000000

to zero, it worked perfectly for me

I was following your thread your blank password issue eventually pointed me here:

https://community.oracle.com/thread/2557592?start=30&tstart=0

Upvotes: 15

Related Questions