By default, Oracle Database 12c Release 2 (12.2) and later releases use Exclusive Mode authentication protocols. Exclusive Modes do not support case-insensitive password-based authentication.
Accounts that have only the
10G password version become inaccessible when the server runs in an Exclusive Mode.
In previous Oracle Database releases, you can configure the authentication protocol so that it allows case-insensitive password-based authentication by setting
SEC_CASE_SENSITIVE_LOGON=FALSE. Starting with Oracle Database 12c release 2 (12.2), the default password-based authentication protocol configuration excludes the use of the case-insensitive
10G password version. By default, the
SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to
12, which is an Exclusive Mode. When the database is configured in Exclusive Mode, the password-based authentication protocol requires that one of the case-sensitive password versions (
12C) is present for the account being authenticated. This mode excludes the use of the
10G password version used in earlier releases. After upgrading to Oracle Database 12c release 2 and later releases, accounts that have only the case-insensitive
10G password version become inaccessible. This change occurs because the server runs in an Exclusive Mode by default. When Oracle Database is configured in Exclusive Mode, it cannot use the old
10G password version to authenticate the client. The server is left with no password version with which to authenticate the client.
For greater security, Oracle recommends that you leave case-sensitive password-based authentication enabled. This setting is the default. However, you can temporarily disable case-sensitive authentication during the upgrade to new Oracle Database releases. After the upgrade, you can then decide if you want to enable the case-sensitive password-based authentication feature as part of your implementation plan to manage your password versions.
Before upgrading, Oracle recommends that you determine if this change to the default password-based authentication protocol configuration affects you. Perform the following checks:
Identify if you have accounts that use only
10Gcase-insensitive password authentication versions.
Identify if you have Oracle Database 11g release 2 (220.127.116.11) database or earlier clients that have not applied critical patch update
CPUOct2012, or a later patch update, and have any account that does not have the case-insensitive
Ensure that you do not have the deprecated parameter SEC_CASE_SENSITIVE_LOGON set to FALSE. Setting this parameter to FALSE prevents the use of the case-sensitive password versions (the
12Cpassword versions) for authentication.
Options for Accounts Using Case-Insensitive Versions
If you have user accounts that have only the case-insensitive
10G password version, then you must choose one of the following alternatives:
Before upgrade, update the password versions for each account that has only the
10Gpassword version. You can update the password versions by expiring user passwords using the
10Gpassword version, and requesting that these users log in to their account. When they attempt to log in, the server automatically updates the list of password versions, which includes the case-sensitive password versions.
Change the setting of the SQLNET.ORA parameter
SQLNET.ALLOWED_LOGON_VERSION_SERVERto any of the settings that are not Exclusive Mode. For example: