ORA-28040: No Matching Authentication Protocol – Complete Oracle Database Troubleshooting Guide
The ORA-28040: No Matching Authentication Protocol error is one of the most common authentication issues encountered after upgrading an Oracle Database, Oracle Client, or middleware application. It typically appears when an older client attempts to connect to a newer Oracle database that no longer supports legacy authentication protocols.
This guide explains everything you need to know about the ORA-28040 error, including its causes, how Oracle authentication works, troubleshooting techniques, multiple solutions, best practices, and preventive measures. Whether you are an Oracle DBA, System Administrator, Developer, or Infrastructure Engineer, this article provides a practical, production-ready approach to resolving the issue safely.
What is ORA-28040?
The ORA-28040 error indicates that the authentication protocol used by the Oracle client is not compatible with the authentication protocol accepted by the Oracle Database server.
In simple terms, the client and database cannot agree on a common authentication method during the login process, causing the connection request to fail immediately.
The complete error message usually appears as:
ORA-28040: No matching authentication protocol
Depending on the application, you may also see additional errors such as:
ORA-01017: Invalid username/password ORA-03134: Connections to this server version are no longer supported ORA-12560: TNS: Protocol adapter error
Although these additional errors may appear together, the root cause is often the authentication protocol mismatch rather than an incorrect username or password.
When Does ORA-28040 Occur?
This error commonly appears after one of the following situations:
- Oracle Database upgrade
- Oracle Client upgrade
- Migration to Oracle 19c or Oracle 21c
- Application server migration
- Replacing an old Oracle client with a newer release
- Connecting legacy software to a modern Oracle database
- Security hardening after database patching
- Changing SQLNET authentication parameters
Many administrators first encounter this error immediately after upgrading an Oracle database because newer releases disable outdated authentication methods by default.
Example Scenario
Imagine an organization running an Oracle 11g client that has successfully connected to an Oracle 11g database for several years.
The database is upgraded to Oracle 19c while the application server continues using the older Oracle 11g client libraries.
As soon as users attempt to connect, every login fails with:
ORA-28040: No matching authentication protocol
The database itself is healthy, the listener is running, and the credentials are correct. The failure occurs solely because the authentication protocol expected by Oracle 19c differs from the one supported by the old Oracle 11g client.
Understanding Oracle Authentication Protocols
To understand ORA-28040, it helps to know how Oracle authentication works.
Whenever a client connects to an Oracle database, the following sequence occurs:
- The client establishes a network session.
- The database listener accepts the request.
- The client proposes its supported authentication protocol.
- The database compares it with the allowed authentication versions.
- If a compatible version exists, authentication succeeds.
- If no compatible protocol exists, Oracle returns ORA-28040.
Older Oracle clients generally support earlier authentication mechanisms, while newer Oracle databases prioritize stronger encryption and improved password verification algorithms.
As Oracle improves database security, outdated authentication protocols are gradually removed from supported configurations.
Main Causes of ORA-28040
1. Outdated Oracle Client
This is the most common reason.
Older Oracle clients cannot negotiate the authentication protocol required by newer database releases.
Examples include:
- Oracle 10g Client
- Oracle 11.1 Client
- Early Oracle 11g releases
2. Database Upgrade
After upgrading to Oracle 18c, Oracle 19c, or Oracle 21c, stronger authentication becomes the default configuration.
Applications that previously worked without issue may suddenly begin generating ORA-28040 because the upgraded database rejects legacy authentication methods.
3. SQLNET Authentication Parameters
Oracle Net configuration files can enforce minimum authentication protocol versions.
If these parameters require newer authentication versions than the client supports, connections are denied.
Common parameters include:
SQLNET.ALLOWED_LOGON_VERSION_SERVER SQLNET.ALLOWED_LOGON_VERSION_CLIENT
4. Legacy Applications
Many enterprise applications bundle their own Oracle client libraries.
Even if the operating system contains a modern Oracle client, the application may still load an older Oracle DLL or shared library internally.
This hidden dependency frequently causes ORA-28040 after database upgrades.
5. Unsupported JDBC Drivers
Java applications often use Oracle JDBC drivers.
Older JDBC versions may not support the authentication requirements introduced in modern Oracle database releases.
Updating only the database without upgrading the JDBC driver can trigger authentication failures.
How to Diagnose ORA-28040
Before applying any fix, determine whether the issue originates from the client, server, or network configuration.
Step 1: Check the Database Version
SELECT * FROM v$version;
Example output:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0
Step 2: Check the Oracle Client Version
On Linux:
sqlplus -v
On Windows:
sqlplus.exe -v
Example:
SQL*Plus: Release 11.2.0.3.0
If the client version is significantly older than the database version, authentication incompatibility becomes a strong possibility.
Step 3: Verify SQLNET Configuration
Locate the sqlnet.ora file.
Typical locations include:
$ORACLE_HOME/network/admin ORACLE_HOME\network\admin
Look for authentication-related parameters that may restrict supported protocol versions.
SQLNET.ALLOWED_LOGON_VERSION_SERVER=12 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=12
If these values are set higher than the capabilities of the connecting client, ORA-28040 may occur.
Step 4: Review Database Alert Log
The Oracle alert log can provide additional details regarding authentication failures.
Search for entries occurring at the same time as the failed login attempts.
tail -100 alert.log
The alert log often confirms that the connection was rejected during the authentication negotiation stage.
Business Impact of ORA-28040
Although ORA-28040 appears to be a simple login error, it can have significant operational consequences in enterprise environments.
- Application downtime
- Failed scheduled jobs
- Broken ETL processes
- Integration failures between systems
- Reporting interruptions
- User login failures
- Production service outages
- Compliance and security concerns
Because authentication is the first step in every Oracle connection, resolving ORA-28040 quickly is essential to restoring normal database operations.
Best Practice Before Applying Any Fix
Avoid making immediate changes to database authentication settings without understanding the security implications.
Lowering authentication requirements may temporarily restore connectivity, but it can also weaken database security if left in place permanently.
A better long-term strategy is to modernize client software, upgrade Oracle networking components, and align authentication protocols across all environments.
Method 1: Upgrade the Oracle Client (Recommended Solution)
The most reliable and Oracle-recommended solution for resolving ORA-28040: No Matching Authentication Protocol is to upgrade the Oracle Client to a version that supports the authentication protocol used by the Oracle Database server.
In most production environments, ORA-28040 occurs because the database has been upgraded while client software remains on an older release. Updating the client ensures compatibility with modern authentication standards and provides additional security improvements, performance enhancements, and bug fixes.
General Recommendation
| Database Version | Recommended Client Version |
|---|---|
| Oracle 19c | Oracle 19c Client or newer |
| Oracle 21c | Oracle 21c Client |
| Oracle 23ai | Oracle 23ai Client |
Keeping both the Oracle Database and Oracle Client on supported releases reduces the likelihood of authentication issues and simplifies future upgrades.
Method 2: Modify SQLNET Authentication Parameters
If upgrading the Oracle Client is not immediately possible, a temporary workaround is to allow the database server to accept an older authentication protocol.
This should only be considered during migration periods because it reduces the overall security posture of the Oracle environment.
Locate the sqlnet.ora File
Linux $ORACLE_HOME/network/admin/sqlnet.ora
Windows ORACLE_HOME\network\admin\sqlnet.ora
Example Configuration
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11 SQLNET.ALLOWED_LOGON_VERSION_CLIENT=11
After modifying the configuration file, restart the database listener and attempt the connection again.
lsnrctl stop lsnrctl start
Depending on your Oracle environment, restarting the database instance may also be required for the changes to take full effect.
Lowering the allowed authentication version should only be used as a temporary compatibility solution. Once all clients have been upgraded, restore the recommended authentication settings.
Method 3: Upgrade Oracle JDBC Drivers
Java applications frequently connect to Oracle databases using JDBC drivers. Older JDBC driver versions may not support the authentication mechanisms required by newer Oracle database releases.
Applications running on WebLogic, Tomcat, WildFly, JBoss, Spring Boot, or other Java platforms should always use a JDBC driver compatible with the database version.
Example
| Old Driver | Recommended Upgrade |
|---|---|
| ojdbc6.jar | ojdbc8.jar |
| ojdbc7.jar | ojdbc11.jar |
After replacing the JDBC driver, restart the application server before testing database connectivity.
Method 4: Verify Oracle Net Configuration
Sometimes ORA-28040 is caused by an incorrect Oracle Net configuration rather than the authentication protocol itself.
Review the following files carefully:
- sqlnet.ora
- tnsnames.ora
- listener.ora
Ensure that:
- The database service name is correct.
- The hostname resolves correctly.
- The listener is running.
- The client connects to the intended Oracle home.
- No obsolete Oracle networking configuration remains.
Method 5: Check Which Oracle Client Is Being Used
On systems with multiple Oracle installations, applications may unknowingly load an outdated Oracle Client even after a newer version has been installed.
Verify the Oracle Home being used.
Windows
echo %ORACLE_HOME% echo %PATH%
Linux
echo $ORACLE_HOME echo $PATH
Ensure the newer Oracle Client appears before any legacy Oracle installations in the PATH environment variable.
Example Troubleshooting Workflow
- Confirm the Oracle Database version.
- Check the Oracle Client version.
- Review the sqlnet.ora configuration.
- Verify the JDBC driver version if using Java.
- Restart the listener.
- Test the connection using SQL*Plus.
- Upgrade the client if necessary.
- Retest the application.
Oracle Version Compatibility Overview
| Database | Older Client | Result |
|---|---|---|
| 19c | 10g | Likely ORA-28040 |
| 19c | 11.1 | Likely ORA-28040 |
| 19c | 11.2 | Depends on patch level |
| 19c | 12c | Generally Supported |
| 21c | 19c | Supported |
Real-World Production Example
A financial organization upgraded its production Oracle Database from Oracle 11g Release 2 to Oracle Database 19c during a scheduled maintenance window. Immediately after the upgrade, hundreds of users reported that they could no longer access a mission-critical application.
Initial investigation confirmed that the database instance and listener were operating normally. User accounts were unlocked, passwords were valid, and network connectivity was healthy. However, every connection attempt failed with the following message:
ORA-28040: No matching authentication protocol
The root cause was traced to an outdated Oracle 11g client installed on the application servers. Because the client could not negotiate the authentication protocol required by Oracle 19c, every login request was rejected before user authentication completed.
As an immediate workaround, the database administrator temporarily adjusted the SQLNET authentication settings to support the legacy client. During the next maintenance window, the application servers were upgraded to Oracle 19c Client, the temporary compatibility settings were removed, and the environment returned to Oracle's recommended security configuration.
This phased approach restored business operations quickly while ensuring the long-term security and supportability of the Oracle infrastructure.
Security Considerations
Although lowering the Oracle authentication protocol version may immediately resolve the ORA-28040: No Matching Authentication Protocol error, it should only be treated as a temporary workaround. Legacy authentication protocols were deprecated for security reasons and may not provide the same level of protection against modern cyber threats.
Oracle continuously enhances its authentication mechanisms to improve password security, encryption, and compliance with current security standards. Using supported Oracle Client and Database versions helps ensure that your environment benefits from these improvements.
How to Prevent ORA-28040 in Future Upgrades
Proper planning before upgrading an Oracle Database or Oracle Client can help prevent authentication compatibility issues and reduce application downtime.
Recommended Preventive Measures
- Maintain an inventory of all Oracle clients used across your environment.
- Verify client compatibility before upgrading the database.
- Test application connectivity in a staging or test environment.
- Keep Oracle Client, JDBC drivers, and middleware components up to date.
- Review Oracle Net configuration files before and after upgrades.
- Apply the latest Oracle Release Updates (RUs) and security patches.
- Document authentication-related configuration changes.
- Perform regular health checks after major infrastructure changes.
Following these best practices minimizes the risk of unexpected authentication errors and ensures smoother Oracle Database upgrade projects.
Common Mistakes to Avoid
- Assuming the username or password is incorrect without checking the client version.
- Changing SQLNET parameters directly in a production environment without testing.
- Ignoring bundled Oracle clients included with third-party applications.
- Using unsupported or outdated JDBC drivers.
- Failing to restart the listener after modifying Oracle Net configuration files.
- Leaving temporary compatibility settings enabled indefinitely.
- Skipping compatibility testing before a database upgrade.
Oracle DBA Troubleshooting Checklist
Use the following checklist when diagnosing ORA-28040:
Verify the Oracle Database version.Check the Oracle Client version.
Confirm the JDBC driver version (if applicable).
Review sqlnet.ora settings.
Verify the correct Oracle Home is in use.
Restart the Oracle Listener after configuration changes.
Test the connection using SQL*Plus.
Review the Oracle alert log for related authentication errors.
Upgrade unsupported clients whenever possible.
Restore secure authentication settings after migration.
Frequently Asked Questions (FAQ)
1. What does ORA-28040 mean?
ORA-28040 indicates that the Oracle Client and Oracle Database cannot agree on a compatible authentication protocol during the login process.
2. Is ORA-28040 caused by an incorrect password?
Not usually. While incorrect credentials generate different authentication errors, ORA-28040 is primarily related to authentication protocol incompatibility between the client and the database.
3. What is the safest solution?
The safest and most reliable solution is to upgrade the Oracle Client or JDBC driver to a version supported by the Oracle Database.
4. Can changing SQLNET.ALLOWED_LOGON_VERSION_SERVER solve the issue?
Yes, but only as a temporary compatibility measure. Lowering the required authentication version may reduce security and should not be considered a permanent fix.
5. Does ORA-28040 affect all Oracle Database versions?
It is most commonly encountered after upgrading to newer Oracle Database releases such as Oracle Database 19c, Oracle Database 21c, and later versions, where stronger authentication protocols are enforced by default.
6. Can third-party applications trigger ORA-28040?
Yes. Many enterprise applications include embedded Oracle Client libraries. Even if a newer Oracle Client is installed on the operating system, the application may continue using its bundled legacy client, resulting in ORA-28040.
Summary
The ORA-28040: No Matching Authentication Protocol error is most commonly encountered after Oracle Database upgrades when older clients or JDBC drivers attempt to connect using unsupported authentication protocols. Although temporary compatibility settings can restore connectivity, upgrading clients and drivers remains the recommended long-term solution.
A structured troubleshooting approach—including verifying client versions, reviewing Oracle Net configuration, checking application dependencies, and testing connectivity—helps resolve the issue efficiently while maintaining database security.
Conclusion
ORA-28040 is not simply a login failure; it is a compatibility issue between the authentication capabilities of the Oracle Client and the Oracle Database. Understanding how Oracle authentication works allows database administrators to identify the root cause quickly and implement the most appropriate solution.
Whenever possible, keep Oracle Clients, JDBC drivers, middleware, and database servers on supported releases. Doing so reduces authentication issues, improves overall security, and simplifies future upgrade projects.
If your organization is planning an Oracle Database upgrade, include client compatibility validation as part of your upgrade checklist. Proactive planning can prevent unexpected downtime and ensure a seamless transition to newer Oracle technologies.
Related Oracle Database Errors
- ORA-01034: ORACLE not available
- ORA-12514: TNS Listener Does Not Currently Know of Service Requested
- ORA-12541: TNS No Listener
- ORA-01017 Invalid Username/Password Error
- ORA-00600: Internal Error Code Arguments
- ORA-01578 Oracle data block corruption
About the Author
Abdul Wahid Rana is an experienced Oracle Database Administrator specializing in Oracle Database Administration, Oracle E-Business Suite, Oracle Data Guard, RMAN Backup & Recovery, Oracle RAC, Performance Tuning, High Availability Solutions, and production database troubleshooting.
Through this blog, he shares practical Oracle DBA tutorials, real-world troubleshooting guides, SQL scripts, monitoring solutions, and best practices to help database professionals manage Oracle environments with confidence.
If this guide helped you resolve the ORA-28040: No Matching Authentication Protocol error, please consider liking, following, and sharing this post with fellow Oracle DBAs. Don't forget to bookmark it for quick access during future troubleshooting!
No comments:
Post a Comment