Oracle.ManagedDataAccess and ORA-01017: invalid username/password; logon denied

Asked 16/10, 2014 at 18:0 Answered 27/1, 2021 at 13:21

Solved c#oracle12c odp.net-managed ora-01017

I have a challenging situation on one of our servers. I have an ASP.NET MVC 3 application that needs to connect to an Oracle 12c database. It does so using the following connection string:

User ID=myuserid;Password=mypass;Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=<IP ADDRESS>)(PORT = 1521)))(CONNECT_DATA=(SERVICE_NAME=PDB1)));

I'm also using Oracle's Oracle.ManagedDataAccess, version 4.121.1.0. Each attempt to connect results in the following error:

ORA-01017: invalid username/password; logon denied

I can connect successfully on my desktop with the above credentials. I have the same code on another server, but using an older, un-managed version of the library, and it can connect successfully with the aforementioned credentials. However, the server on which I would like my code to run fails every single time using the same credentials that enable successful connections on different servers.

On the server that fails, I can:

connect via SQLPLUS
hit the database with TNSPING
Create a System DSN to establish an ODBC connection

I have checked the TNSNAMES.ORA in all locations and they appear to be correct.

After hitting the database too many times, the account actually locked indicating that I was, indeed, hitting the database and that the database did not like the credentials presented. I checked the applications that previously connected successfully and they also failed with an error indicating that the account was locked. Unlocking the account caused those applications to connect successfully with the exception of the server with which I am having problems.

I am at my wit's end.

Does anyone have any other suggestions as to what might cause this problem?

EDIT:

I installed WireShark on my local computer and on the offending server. I captured communication between my desktop and the database as well as the offending server and the database. I found that my desktop communicated the password:

0080  35 42 31 41 43 34 30 00 01 01 01 0d 0d 41 55 54   5B1AC40......AUT
0090  48 5f 50 41 53 53 57 4f 52 44 01 40 40 43 30 36   H_PASSWORD.@@C06
00a0  37 39 42 31 31 42 46 36 42 41 43 44 39 30 38 44   79B11BF6BACD908D
00b0  37 39 34 34 31 31 46 34 32 33 30 42 34 36 44 36   794411F4230B46D6
00c0  35 36 36 33 31 42 45 39 39 41 36 43 36 37 42 44   56631BE99A6C67BD
00d0  43 33 35 42 42 44 36 44 42 45 37 34 36 00 01 0d   C35BBD6DBE746...

whereas the server with which I am having problems, did not (or at least that's the assumption):

0080  39 33 39 37 32 33 46 00 01 01 01 0d 0d 41 55 54   939723F......AUT
0090  48 5f 50 41 53 53 57 4f 52 44 01 40 40 00 00 00   H_PASSWORD.@@...
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 0d   ................

Does anyone know of a security/configuration setting that would prevent passwords from being transmitted even though they are present in the connection string?

Edit (20180713):

In my particular case, the issue was the FIPS setting.

For those doing research, there are several ways around this.

You can alter the registry setting located at HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled. If FIPS is enabled, the value is 1. If disabled, the value is 0. You do not need to reboot.
Most likely, the reason why you are running into this issue is that FIPS is enabled and you are using the Oracle managed data access library. A solid workaround is to use the unmanaged library. However, to use this library, you need to install the Oracle Instant Client. The client is available for download in the Oracle Data Access Components.
Upgrade your server to Oracle 12.2c. Oracle 12c versions before 12.2c still have this problem.

If you do not have FIPS enabled, the most likely you will need to investigate whether your database has the SEC_CASE_SENSITIVE_LOGON setting set to true. You will need to execute ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE; and then reset all of your passwords.

Toe answered 16/10, 2014 at 18:0 Comment(7)

Shot in the dark, perhaps: I appreciate that you wouldn't want to share the username and password with us, but would it at least be possible to share with us which non-alphanumeric characters they use, if any? – Ayo 16/10, 2014 at 19:9

All are standard, alpha characters (d,g,c,m,n,e). All are lower-case. No digits. I believe you might be referring to some problems logging on to oracle where the username and/or password have special characters like an 'e' with a diacritical mark. At this point having something simple like that would be a god-send. :-) – Toe 16/10, 2014 at 19:13

Actually, I was thinking more iabout symbols, such as : or ?. If your username and password do contain just lowercase letters, all I can do is wish you luck. Sorry! – Ayo 16/10, 2014 at 19:17

Shot in the dark: is the oracle patched to the same version on the Oracle server and on the machine trying to connect? Are they both using the same 32 bit or 64 bit Oracle version? – Carolanncarole 16/10, 2014 at 20:37

I'm going to have to check into your questions, StarPilot. The version of Oracle.ManagedDataAccess I'm using is the 64-bit version 12.1.0.1.2 Release 2. The Oracle database is 12c. However, the server is 64-bit and on the server, my DBA has installed Oracle Forms and Reports for 11g. The ODAC for 11g was installed on the server as well, but it looked like that wasn't installed correctly because it wasn't listed in the installed components list and I had to remove the files and registry entries manually. Don't know if Forms & Reports is 32 bit and assuming 12C is 64-bit. – Toe 16/10, 2014 at 22:7

Had same issue, but my troubleshooting procedures were different. Here's my SO question, which I was able to fix with the same accepted answer as here: dba.stackexchange.com/questions/142085/… – Volvulus 24/6, 2016 at 13:39

Check the case of user name and password. – Vagrancy 8/6, 2019 at 7:50

I have been struggling with this same issue for a couple of weeks and finally have a resolution. I had to disable the FIPS security policy, try setting this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy] "Enabled"=dword:00000000

to zero, it worked perfectly for me

I was following your thread your blank password issue eventually pointed me here:

https://community.oracle.com/thread/2557592?start=30&tstart=0

Blackmarketeer answered 31/10, 2014 at 19:34 Comment(4)

Ran into this issue and posted my own question, not knowing if I was seeing the same as you -- dba.stackexchange.com/questions/142085/… -- turns out I had the same problem, and this was how it was suggested I fix mine, too. Worked! So linking this question to mine, in case others go through a different troubleshooting procedure to arrive at where I was. – Volvulus 24/6, 2016 at 13:38

Where FIPS must be disabled, on web server or db server oracle? – Tagalog 12/11, 2019 at 17:37

thank you so much, after I disabled SSL 3 and TLS 1.1 the database cannot connected, and need to set this – Tobe 1/3, 2021 at 11:0

You have saved my life. Thanks alot – Procopius 4/5, 2021 at 13:47

Based on Jeff's answer (10/31/2014)...

The registry setting can be set by GPO to only allow FIPS compliant algorithms. Setting this to 0 as indicated may be a violation of some security policies and get overwritten by the GPO. This registry setting controls more than just IIS or ASP.NET.

There is another way that is specific to .NET and may work at the application level. This is much easier to justify compared to modifying the settings of the whole server.

Application specific method:

In your Web.config or App.config file, add the following setting:

<configuration> <!-- Will already be there -->
  <runtime>
    <enforceFIPSPolicy enabled="false"/>
  </runtime>
...  the rest of your .config

If I remember correctly, this must be at the beginning of your config file.

All .NET application method:

Place the setting above in the machine.config file. There will be one for each .NET version and architecture (64 bit/32 bit). There will already be a element, so put the element inside it.

Sabba answered 6/11, 2014 at 21:59 Comment(1)

The most important thing at this point is that the problem is identified. You hit the nail on the head about security which is why I don't really want to use the registry setting. I don't really want to use the enforceFIPSPolicy element to the web.config because you're still doing an end-run around security requirement; just on a per application basis. Thanks for the tip about placing it in the beginning of the config file. It may be useful sometime in the future. – Toe 10/11, 2014 at 12:6

I had the same issue using Entity Framework and the Oracle.ManagedDataAccess.Client, but I had some success by uppercasing my password in the configuration connection string section.

Martinemartineau answered 22/10, 2018 at 22:5 Comment(0)

I'm programming in C # with an Oracle xe 11g database, it had never happened to me before, but the new users that I created in the DB, when I tried to connect from the C# application, I got the error: ORA-01017: invalid username / password ; logon denied, only with new users (I did a migration from xe 10g to xe 11g) where migrated users from version 10g worked correctly.

I made this change in my connection string and managed to solve the problem

before

private string cadenaCone = "User Id=AAA111;Password=BBB222;Data Source=CCC333;Connection Timeout=60;";

after

private string cadenaCone = "User Id=AAA111;Password=" + ((char)34).ToString() + "BBB222"+((char)34).ToString()+";Data Source=CCC333;Connection Timeout=60;";

Sailboat answered 27/1, 2021 at 13:21 Comment(0)

I did not quite have the same scenario as this case does, but I did have very similar results. What I did to sort out the problem was, I enclosed the password in quotes like the following (VB.NET):

cnx.ConnectionString = "User ID=MYID;Password=""MyPass"" ;Data Source=MyTEST"

or use chr(34) as follows

cnx.ConnectionString = "User ID=MYID;Password="+chr(34)+"MyPass"+chr(34)+" ;Data Source=MyTEST"

Doersten answered 7/1, 2016 at 11:19 Comment(0)

I had exactly same issue. When I was connecting to database directly from SqlDeveloper, it was working fine. But my application ( built on VB6) failed to connect to Oracle and giving error "ORA-01017 Invalid ID/password.
After turning off, case sensitive login for my database ID, it resolved the issue.

Schrock answered 4/1, 2018 at 19:39 Comment(0)

I had the same problem! I didn't try changing the RegKey but I did try changing the web and machine config. This did not work.

What did solve the problem was changing the app pool I was running under!

The App Pool was running under a service account and once I moved it to a new App Pool with just the default system account it started picking up the User ID and Password from the config.

Cunnilingus answered 13/7, 2018 at 1:24 Comment(0)

I was trying with the command:

ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE;

But it didn't work. I had to change it using the SQL Developer in the DBA tab.

Find the Parameter 'sec_case_sensitive_logon' and change its value to 'FALSE'
Commit your changes using the button:
It will ask the commit strategy and you have to choose both:
Click 'Apply'
I don't know if this step is required, but I also changed the user's password. (I set the same password)

In case, you don't know how to open the 'Initialization Parameters':

Open 'Oracle SQL Developer'
Go to 'View' menu and select 'DBA'
Choose a connection
And then click on 'Initialization Parameters'

Boffa answered 22/1, 2019 at 18:14 Comment(0)

For some reason (and have no idea why ) my c# code sends my username uppercased even though I write it as lowercase.

For example my username is kullaniciadi you may think uppercase of this would be KULLANICIADI but seems it's not. My server's locale is Turkish (I believe this is the reason) so uppercased version of my username becomes KULLANİCİADİ because in Turkish uppercase of i is İ and uppercase of ı is I. And this results invalid username error.

Had no control over database so can't change any settings on it.

Typing my username all uppercased solved the problem.

Also this only works in combination of accepted answer. If registry key mentioned in accepted answer is set to 1 then this answer may not work.

Spent lots of hours for this stupid thing. I'm writing this down so you won't.

Cushman answered 23/8, 2019 at 4:27 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags