In Oracle 12c for Windows, it is possible to use Managed Service Accounts (MSA) to run the Oracle service, improving security, (by not using the over privileged Local System account), and avoiding the pain of changing a domain account’s password regularly.
However, I found very little support information on the internet when I first starting deploying 12c on Windows with MSAs, so I’ve written this post to help others.
Basically, it is a domain account, which is given minimal privileges to protect other files on the database host from database users, and which changes passwords automatically as required by the domain policy. It is safest to have a dedicated account for each host. (Or more if databases sharing a host need to be protected from each other).
After a system administrator provided me with an MSA, I installed Oracle 12c RDBMS using the MSA for the Oracle Home User. The password field was greyed out, which is as expected. (Ignore forum posts that say a password has to be entered the first time. The DBA does not need to know the MSA password).
However, when I tried to created a listener, I was prompted for the MSA password.
The installation logs showed that the registry entry ORACLE_SVCUSER_PWDREQ was set to 0 initially, but at some stage it changed to 1, which resulted in the configuration tools asking for a password.
I set ORACLE_SVCUSER_PWDREQ=0 manually, preventing the password prompt. I went ahead and created the listener and database, but then I couldn’t create remote sessions (via the listener).
11-APR-2016 13:54:18 * (CONNECT_DATA=(CID=(PROGRAM=SQLcl)(HOST=__jdbc__)(USER=myuser)) (SERVER=DEDICATED)(SERVICE_NAME=MYSERVICE)) * (ADDRESS=(PROTOCOL=tcp) (HOST=10.nn.nn.nn)(PORT=61333)) * establish * MYSERVICE * 12518 TNS-12518: TNS:listener could not hand off client connection TNS-12560: TNS:protocol adapter error TNS-00534: Failed to grant connection ownership to child 64-bit Windows Error: 10022: Unknown error
The event log showed:
An account failed to log on. ... Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a
Something wasn’t right with the MSA. The system administrator deleted and recreated the MSA on both on the database server and from within AD. However, I had to deinstall and reinstall 12c (patches and all) before remote connections would succeed. When reinstalling 12c, the value of ORACLE_SVCUSER_PWDREQ was set to 0 without intervention and no passwords were requested.
Notes to Help the System Administrator
These notes relate to a Windows Server 2008 R2 environment.
An example of setting it up:
This blog is good example of the steps taken to create, associate, install and configure an MSA to run a service:
It doesn’t mention the hotfix which may be required to prevent problems after the password changes automatically: