Windows Authentication No Longer Uses NTLM by Default

For Microsoft Windows installations with AUTHENTICATION_SERVICES=NTS, in this Oracle Database release, the SQLNET.NO_NTLM parameter setting in the sqlnet.ora file defaults to TRUE, which can cause ORA-12638 errors.

Date: August 2023

In previous releases, the default for AUTHENTICATION_SERVICES=NTS was FALSE. SQLNET.NO_NTLM controls whether NTLM can be used with NTS authentication. A TRUE setting means that NTLM cannot be used in NTS authentication. Because NTLM does not normally provide mutual authentication and is hence less secure, a TRUE setting for SQLNET.NO_NTLM makes the database and client more secure.

The SQLNET.NO_NTLM parameter is used on both the server and the client. If you have upgraded a Microsoft Windows installation of Oracle Database, or upgraded a client in which SQLNET.NO_NTLM had not been set, then its default will be TRUE. In that case, when you have SQLNET.AUTHENTICATION_SERVICES=NTS in your sqlnet.ora, clients can encounter the error ORA-12638: Credential retrieval failed.

If you prefer to use NTLM authentication for certain clients, then set this parameter as required in client-side sqlnet.ora files:

SQLNET.NO_NTLM=FALSE

You must include this setting on both the server and client, and this setting should be the same on both. Ideally, you should ensure that SQLNET.NO_NTLM is set to TRUE. However, if there is an authentication failure in extproc, a virtual account, or a local account on Windows, set the client SQLNET.NO_NTLM to FALSE, and then retry the login. If you change SQLNET.NO_NTLM on the server, then you must restart the database.