System.ArgumentException: ORA-28040: The database does not accept your client's authentication protocol; login denied.

[HernJer]

Maybe this is not the right place to ask but hoping to get some guidance.

After upgrading from :

• Oracle.EntityFrameworkCore 8.21.121 | Oracle.ManagedDataAccess.Core 3.21.120

To:

• Oracle.EntityFrameworkCore 8.23.40 | Oracle.ManagedDataAccess.Core 23.4.0

We began receiving an ORA-28040 error on applications attempting to connect to Oracle db. I have confirmed that going back to 8.21.121 | 3.21.120 stops the error from occurring.

We believe this has to do with the sec_case_sensitive_logon parameter on the database (Oracle 19c) as disabling this also stops the error on 8.23.40 | 23.4.0.

[alexkeh]

When you upgrade an Oracle DB client and you are different version of the Oracle DB server, older authentication protocols may no longer be supported by default on the client without explicitly allowing the older protocols.

That's what the ORA-28040 error typically means.

_ORA-28040 The database does not accept your client's authentication protocol; login denied. Cause No common authentication protocol was found between the database client and server. Action Set the values of the SQLNET.ALLOWED_LOGON_VERSION_SERVER and SQLNET.ALLOWED_LOGON_VERSIONCLIENT parameters on both the client and on the server to values that match the minimum software version supported in the system. This error is also raised when the client is authenticating to a user account which was created without a verifier suitable for the client software version. In this situation, the password of the account must be reset to generate the required verifier and allow the authentication to proceed successfully.

One thing of note is that SEC_CASE_SENSITIVE_LOGON is desupported in 23ai. It is a parameter associated with 10g version verifier. It could be a problem with using an old verifier that a 23ai client doesn't support.

[DaveLaa]

I have the same Problem. Well I use the Oracle.ManagedDataAccess also because I dont want to install an oracle client any more. Therefore there is no SqlNet.Ora file where I could put any configuration parameters in... Do I have to go back and stay forever on the older Oracle.ManagedDataAccess.Core 3.21.120 to be able to connect to my db now? Or is there (or will there be) a fix in the manager driver? What do I have to do exactly to be able to login again?

[alexkeh]

@DaveLaa You can set the SqlNetAllowedLogonVersionClient property on the OracleConfiguration class or OracleConnection class if you don't want to use a sqlnet.ora file.

[HernJer]

@DaveLaa You can set the SqlNetAllowedLogonVersionClient property on the OracleConfiguration class or OracleConnection class if you don't want to use a sqlnet.ora file.

this corrected my issue, thanks!

Add this line before injecting DBContext to set globally:

OracleConfiguration.SqlNetAllowedLogonVersionClient = OracleAllowedLogonVersionClient.Version11;

or set in OnConfiguring within the context:

protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
    OracleConfiguration.SqlNetAllowedLogonVersionClient = OracleAllowedLogonVersionClient.Version11;
    optionsBuilder.UseOracle("<your_connection_string>");        
}

[will-scc]

Sorry to comment on a closed issue, but I've come across this after upgrading a .NET 6 app to .NET 8.

Although setting OracleConfiguration.SqlNetAllowedLogonVersionClient = OracleAllowedLogonVersionClient.Version11; in the app somewhere before the first connection works for runtime, I'm hitting the same error when trying to scaffold with EF.

When using Scaffold-DbContext where/how can I set OracleAllowedLogonVersionClient?

[alexkeh]

@will-scc You can set SQLNET.ALLOWED_LOGON_VERSION_CLIENT in your sqlnet.ora config file.

Alternatively, if you execute scaffolding from a command line that supports PowerShell, you should be able to set OracleConfiguration properties like any other .NET API.

[will-scc]

@alexkeh Using Oracle.ManagedDataAccess.Core so don't have an sqlnet.ora file.

Can you provide an example of how to set OracleConfiguration.SqlNetAllowedLogonVersionClient via PowerShell? I've tried all sorts of varations on

using namespace Oracle.ManagedDataAccess.Client

[Oracle.ManagedDataAccess.Client.OracleConfiguration]::SqlNetAllowedLogonVersionClient = OracleAllowedLogonVersionClient.Version11;

Scaffold-DbContext ...

(which gives Unable to find type [Oracle.EntityFramework.Core.OracleConfiguration] error)

I'm not even sure if that's correct, and I've struggled to find any documentation explaining how that's meant to be done.

Appreciate the help.

[alexkeh]

You can create your own sqlnet.ora file to use and put it in the same directory as your tnsnames.ora. If you don't have a tnsnames.ora, you can add Tns_Admin=<Directory> to your connection string with the directory where the sqlnet.ora file is located.

With respect to PowerShell, I know how to run .NET code within it. However, I'm not sure how to mix a command line operation with a .NET program.

[will-scc]

Thanks @alexkeh, putting a sqlnet.ora file in the project with the EF context/models worked. I didn't even need to specify its location via TNS_ADMIN in the connection string (I guess Oracle.ManagedDataAccess.Core checks for it anyway).

[monsm]

When I modify the OracleConfiguration or OracleConnection, the SqlNetAllowedLogonVersionClient equals oracleallowedlogonversionclient.Version11 returns ora-50008, then looks at Oracle.Manageddataaccess source code found that there are only 12 and 12A, source code:

internal void ValidateVerifierTypeBasedOnALV(string strAllowedLogonVersion = null) { try { if (ProviderConfig.m_bTraceLevelPrivate) Trace.Write(OracleTraceLevel.Private, OracleTraceTag.Entry | OracleTraceTag.SvcObj, OracleTraceClassName.OracleConnectionImpl, OracleTraceFuncName.ValidateVerifierTypeBasedOnALV, this.TraceObj); if (string.IsNullOrEmpty(strAllowedLogonVersion)) strAllowedLogonVersion = this.m_strAllowedLogonVersion; if (string.IsNullOrEmpty(strAllowedLogonVersion)) { if (18453 != this.m_verifierType && 6949 != this.m_verifierType) throw new OracleException(28040, string.Empty, string.Empty, OracleStringResourceManager.GetErrorMesgWithErrCode(28040)); } else { switch (strAllowedLogonVersion) { case "12a": if (18453 == this.m_verifierType) break; throw new OracleException(28040, string.Empty, string.Empty, OracleStringResourceManager.GetErrorMesgWithErrCode(28040)); case "12": if (18453 == this.m_verifierType || 6949 == this.m_verifierType && OracleConnectionImpl.HasServerCompileTimeCapability(this.m_serverCompiletimeCapabilities, 4, (byte) 2)) break; throw new OracleException(28040, string.Empty, string.Empty, OracleStringResourceManager.GetErrorMesgWithErrCode(28040)); } } } finally { if (ProviderConfig.m_bTraceLevelPrivate) Trace.Write(OracleTraceLevel.Private, OracleTraceTag.Exit | OracleTraceTag.SvcObj, OracleTraceClassName.OracleConnectionImpl, OracleTraceFuncName.ValidateVerifierTypeBasedOnALV, this.TraceObj); } }

Here are some of my revised attempts: 1、Version = 12a, return ora-28040 2、Version = 12, return ora-28040 3、Version = 11, return ora-50008 4.、version = 10, return ora-50008 5、version = 9, return ora-50008 6、version = 8, return ora-50008

[alexkeh]

@monsm I'm not familiar with ORA-50008. Is there an exception and inner exception that indicates what error it has?

Which ODP.NET version are you using? It looks like you are using managed ODP.NET.

Which DB authentication protocol version you are trying to connect with?

[monsm]

@alexkeh , thank you for your assistance. I am currently using the latest version of Oracle.ManagedDataAccess, version 23.4.0（ https://www.nuget.org/packages/Oracle.ManagedDataAccess/23.4.0?_src=template ）, and I am not using any ora files. My database connection string is:

Data Source=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=X.X.118.152)(PORT=20012))(CONNECT_DATA=(SERVICE_NAME=mpac)));User Id=XXXXX;Password=XXXXXX;Pooling=false;

The Oracle server database version I am trying to connect to is 11g (11.2.0.4.0 64bit). With version 21.14.0 of ODP.NET, I was able to connect without any issues. However, after upgrading to version 23.4.0, I started experiencing problems.

I have detailed exception information regarding the ORA-50008 error. This error occurs when I set OracleConfiguration.SqlNetAllowedLogonVersionClient to OracleAllowedLogonVersionClient.Version11, and similarly for Version10, Version9, and Version8. When I use Version12 or Version12a, instead of an exception, I receive an ORA-28040 error message. I will reply with an image containing the exception details for your reference.

Do you have any information on the compatibility of ODP.NET version 23.4.0 with Oracle 11g? Could you provide further guidance on this issue?

[monsm]

@alexkeh When I just set the oracleconfiguration. Sqlnetallowedlogonversionclient = oracleallowedlogonversionclient.version11 ,Feedback ora-50008 , when I set only oracleconnection. Sqlnetallowedlogonversionclient = oracleallowedlogonversionclient. Version11 is working, thank you, problem solved

[alexkeh]

@monsm ODP.NET 23ai supports Oracle DB 19c and higher only.

If you continue to use Oracle DB 11.2.0.4, I recommend remaining with ODP.NET 21c or 19c. However, there's no guarantee that newer 21c and 19c version will work with DB 11.2.0.4. DB 11.2 has been desupported by Oracle and we've largely stopped testing any new releases with that DB version.

[monsm]

@monsm ODP.NET 23ai supports Oracle DB 19c and higher only.

If you continue to use Oracle DB 11.2.0.4, I recommend remaining with ODP.NET 21c or 19c. However, there's no guarantee that newer 21c and 19c version will work with DB 11.2.0.4. DB 11.2 has been desupported by Oracle and we've largely stopped testing any new releases with that DB version.

Thank you for your advice

[CenturySparkle]

@monsm ODP.NET 23ai supports Oracle DB 19c and higher only.

If you continue to use Oracle DB 11.2.0.4, I recommend remaining with ODP.NET 21c or 19c. However, there's no guarantee that newer 21c and 19c version will work with DB 11.2.0.4. DB 11.2 has been desupported by Oracle and we've largely stopped testing any new releases with that DB version.

I'm on 12c and the latest v23 of Oracle.ManagedDataAccess.Core failed. I downgraded to 3.21 and that failed as well. I downgraded further to 2.19 and that finally worked.

[us2ahmad]

I used dotnet 8 Thanks to whoever developed this solution After searching for a solution to the problem, the solution was found here OracleConfiguration.SqlNetAllowedLogonVersionClient = OracleAllowedLogonVersionClient.Version11;