Enabling OS authentication for Oracle databases running on Windows prevents password authenticated connections from other domains without trust relationships. Eg, RMAN running in the pre-production domain wouldn’t be able to use a database account password to connect to an RMAN catalogue database in the production domain.
Setting SQLNET_AUTHENTICATION_SERVICES=(NTS) triggers Oracle to check group membership of the client’s domain account, assuming that it will be resolvable by the host. If it isn’t, (no trust relationship with the client’s domain), then even if a password is supplied (or wallet used), then the connection attempt will fail with ORA-12638.
One workaround is to set SQLNET_AUTHENTICATION_SERVICES=(NONE), but doing so disables OS authentication, including the very handy: “connect / as sysdba”.
Another is to use JDBC thin drivers, which obscure the domain name from the OS user.
The domain name can also be hidden (or at least the relevant NTS authentication code bypassed) using the runas command. This method allows scripts to be wrapped and scheduled, eg RMAN backups.
The runas command is directed to use a fake user and password combination, but it silently fails, but as a side effect, the domain name is stripped out of the information sent to the remote database.
This example shows how to create a non-interactive batch file that can run an RMAN backup when the catalogue database is in a different domain. (Authentication is achieved by a password stored in the wallet referenced by %TNS_ADMIN%/sqlnet.ora).
@echo off echo 'nosuchpw' | runas /noprofile /netonly /user:nosuchuser "C:\ORADBA\rman.bat ORCL D:\oracle\22.214.171.124_db1"
@echo off cd /D C:\temp set TNS_ADMIN=D:\oracle\RMAN\TNSADMIN set ORACLE_SID=%1% set NLS_DATE_FORMAT=DD-MON-YYYY HH24:MI:SS cmd /k %2%\BIN\rman target / catalog=/@rmancat exit /B