Blog

How to Fix ORA-28040: No Matching Authentication Protocol in Oracle

The error message ORA-28040: No matching authentication protocol is a common issue. You might see it when your apps try to connect to an Oracle database, especially Oracle 12c and newer.

This usually means your app is trying to log in a way the Oracle server doesn’t like or allow. In this article, we’ll look at why this happens and show you some practical ways to fix it and get your database connection working again.

Understanding the “ORA-28040” Error

The main reason for the ORA-28040 error is a mismatch in how your app and the Oracle server try to handle logins. For example, Oracle Database 12c made security stricter. It changed the default setting for something called SQLNET.ALLOWED_LOGON_VERSION.

This setting decides the oldest client version that can connect and which login methods are okay. If your app, often using its JDBC driver, tries an old login method that the server doesn’t permit, the connection will fail with this error.

Analyzing ORA-28040 Error Causes

Here are some key things that can cause this:

  • Outdated JDBC Drivers: Using an old JDBC driver (like ojdbc14.jar) with a new Oracle database (12c or newer) and a modern Java Development Kit (JDK) is a common problem. The number in JDBC driver files (like ojdbc6.jar, ojdbc8.jar) usually tells you which JDK version it was made for.
  • Server-Side Configuration: The sqlnet.ora file on the Oracle database server might be set up to only allow new, secure login methods. This means it will reject connections from apps that don’t support them.
  • Client-Side Environment: Sometimes the problem is in your app’s setup, like if the wrong driver is being used first, or if you have old connection settings.

Read: How to Fix ORA-12514: Oracle Listener Service Name Mismatch

Solutions to Resolve ORA-28040

There are several ways to fix this login protocol mismatch. These solutions can involve updating things on your app’s side or changing settings on the Oracle server.

Resolving Oracle Authentication Mismatch

1. Update the Oracle JDBC Driver

Making sure your app uses a JDBC driver that works with both your Oracle Database version and your Java version is often the best fix. Old drivers might not support the login methods that newer Oracle versions need.

This table gives you a general idea of JDBC driver versions and what they usually work with:

JDBC Driver Compatibility Table

Note: Always check the official Oracle documentation for the most accurate JDBC driver compatibility for your specific Oracle Database and JDK versions.

Read: How to Fix ORA-01017: Invalid Username/Password Logon Denied in Oracle Database

Steps:

  1. Find out which JDBC driver JAR file your app is using (e.g., ojdbc14.jar).
  2. Download the right newer JDBC driver (e.g., ojdbc8.jar for Oracle 12c/19c with JDK 8+) from the official Oracle website.
  3. Replace the old JDBC JAR file with the new one where your app looks for it. This could be in a lib folder (like WEB-INF/lib for web apps, [Tomcat_Installation_Directory]/lib, or [Cognos_Install_Directory]/webapps/p2pd/WEB-INF/lib). If you use tools like Maven or Gradle, update your dependencies there.
  4. Make sure the new driver is being used and that no old, conflicting drivers are still around.
  5. If you use an IDE like IntelliJ IDEA, try restarting it after updating the driver and check that the “External Libraries” section shows the correct driver version.

Why this helps : Newer JDBC drivers are made to support the newer login methods that modern Oracle databases expect.

2. Adjust sqlnet.ora Configuration

If you can’t update the JDBC driver right away, or if it doesn’t fix the problem, you can try changing the Oracle server’s (or sometimes the client’s) sqlnet.ora file. This can allow older login methods. This file is usually in the [ORACLE_HOME]/network/admin/ directory, or a path like [ORACLE_PRODUCT_HOME]/dbhome_1/NETWORK/ADMIN/.

Configuration Parameters:

Add or change these parameters in your sqlnet.ora file:


SQLNET.ALLOWED_LOGON_VERSION_SERVER = 8
SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 8

Sometimes, especially if you’re using very old JDBC thin drivers (before version 11g), you might need to set SQLNET.ALLOWED_LOGON_VERSION=8 (this covers both server and client).

Some setups might also need:


SQLNET.AUTHENTICATION_SERVICES = (NONE)

These settings tell the Oracle server to be less strict about the login methods it accepts, letting clients that use older methods (like those from version 8) connect.

Important: Changing sqlnet.ora to allow older login versions can make your database less secure. Think carefully if this is okay for your organization’s security rules.

Possible Side Effect: ORA-01017 (Invalid Username/Password)

After you change sqlnet.ora, you might get an ORA-01017: invalid username/password; logon denied error. If this happens, you might need to reset or recreate the password for the user trying to connect, even if you use the same password.


ALTER USER #YOUR_USERNAME# IDENTIFIED BY "#YOUR_PASSWORD#";

If password case sensitivity becomes an issue (especially if older login methods don’t handle it the same way as features in Oracle 11g and later), you might also need to check and possibly change the SEC_CASE_SENSITIVE_LOGON parameter and then reset the password:


-- To check the current setting if you need to: SHOW PARAMETER SEC_CASE_SENSITIVE_LOGON;
-- To turn off case-sensitive passwords (be careful and understand what this means):
ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE;
-- Then, reset the user's password:
ALTER USER #YOUR_USERNAME# IDENTIFIED BY "#YOUR_PASSWORD#";

3. Prioritize Correct JDBC Driver in IDE Build Path

If you’re using an IDE like Eclipse, and you have multiple versions of JDBC drivers or other conflicting libraries in your project, Java might load the wrong driver first. Making sure the correct, compatible JDBC driver is loaded first, can fix this.

Steps for Eclipse:

  1. In the Project Explorer, right-click on your project.
  2. Choose “Build Path” → “Configure Build Path…”.
  3. Go to the “Order and Export” tab.
  4. Find your correct Oracle JDBC driver JAR file (e.g., ojdbc8.jar).
  5. Select it and use the “Top” or “Up” button to move it to the very top of the list. This makes sure it’s loaded before any other JARs that might cause problems.
  6. Click “Apply and Close”.

This makes sure the right JDBC driver is used by your project.

4. Downgrade .NET Oracle Data Provider (For .NET Applications)

If you are building .NET apps that connect to Oracle, especially with Visual Studio, problems with the Oracle.ManagedDataAccess.Core NuGet package version can also cause the ORA-28040 error.

Solution:

Try downgrading the Oracle.ManagedDataAccess.Core NuGet package to an older, stable version, like 3.21.150. This has helped some people.

You can do this in the NuGet Package Manager Console in Visual Studio:


Uninstall-Package Oracle.ManagedDataAccess.Core
Install-Package Oracle.ManagedDataAccess.Core -Version 3.21.150

Or, you can change your project’s .csproj file as well.

Certain versions of data provider libraries might work better or have fewer bugs with specific Oracle database versions.

5. Verify JDBC Connection Parameters

Sometimes, the error isn’t because of the driver or server settings, but because your app is accidentally trying to connect to a different Oracle database instance than you think. That other instance might have a different version or security setup.

Action:

Carefully check your app’s JDBC connection string and any related datasource configuration files (like context.xml in Tomcat, or application.properties/yml in Spring Boot). Make sure the hostname, port, service name, or SID are pointing to the correct Oracle database that your JDBC driver and other settings are meant for.

Making sure the connection details are correct means your app talks to the right database, where the login methods should match your app’s setup.

6. Remove Obsolete thinLogonCapability Setting

There’s an old Java system property or connection property, oracle.jdbc.thinLogonCapability="o3", that was sometimes used with older Oracle versions or JDBC drivers. This setting usually isn’t needed anymore and can cause problems with Oracle 12c and newer login methods.

Action:

If your app or environment is setting this property (e.g., in JVM arguments or JDBC connection properties), try removing it.

Getting rid of this old property stops it from interfering with the normal, usually more secure, login process handled by modern JDBC drivers and Oracle 12c+ servers.

Verification and Testing

After you try any of these solutions, the main way to check if it worked is to try connecting to the database again from your app. If you can connect without seeing the ORA-28040 error, the problem is fixed. You should also test your app by doing typical database tasks to make sure everything is working fully.

Conclusion

The ORA-28040: No matching authentication protocol error mainly means there’s a mismatch between what your app can do to log in (often decided by the JDBC driver version) and the Oracle server’s security setup.

We’ve looked at ways to fix this, like updating the JDBC driver to a version that works, changing server-side sqlnet.ora settings if you have to, making sure the right driver is used first, or checking your connection details.

Using up-to-date, compatible JDBC drivers is usually the best first thing to try.