Understanding Oracle 19c's sec_case_sensitive_logon Parameter and ORA-01017

Introduced in Oracle 11g, the sec_case_sensitive_logon parameter controls password case sensitivity.

  • sec_case_sensitive_logon=TRUE means passwords are case-sensitive.
  • sec_case_sensitive_logon=FALSE means passwords are not case-sensitive.

Starting with Oracle 12c, this parameter is deprecated. However, it is retained in Oracle 19c for backward compatibility. In Oracle 12c (specifically 12.2 and later) and 19c, this parameter cannot be set to FALSE because it is incompatible with SQLNET.ALLOWED_LOGON_VERSION_SERVER=12 or SQLNET.ALLOWED_LOGON_VERSION_SERVER=12a. The more secure password version used in these modes only supports case-sensitive password verification. The official documentation states:

Note the following implications of setting the value to 12 or 12a:

  • A value of FALSE for the SEC_CASE_SENSITIVE_LOGON Oracle instance initialization parameter must not be used because password case insensitivity requires the use of the 10G password version. If the SEC_CASE_SENSITIVE_LOGON Oracle instance initialization parameter is set to FALSE, then user accounts and secure roles become unusable because Exclusive Mode excludes the use of the 10G password version. The SEC_CASE_SENSITIVE_LOGON Oracle instance initialization parameter enables or disables password case sensitivity. However, since Exclusive mode is enabled by default in this release, disabling the password case sensitivity is not supported. Note:
  • The use of the Oracle instance initialization parameter SEC_CASE_SENSITIVE_LOGON is deprecated in favor of setting the SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter to 12 to ensure that passwords are treated in a case-sensitive fashion.
  • Disabling password case sensitivity is not supported in Exclusive mode (when SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12 or 12a.)
  • Releases of OCI clients earlier than Oracle Database 10g cannot authenticate to the Oracle database using password-based authentication.
  • If the client uses Oracle Database 10g, then the client will receive an ORA-03134: Connections to this server version are no longer supported error message. To allow the connection, set the SQLNET.ALLOWED_LOGON_VERSION_SERVER value to 8. Ensure the DBA_USERS.PASSWORD_VERSIONS value for the account contains the value 10G. It may be necessary to reset the password for that account.

If SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12 or 12a, ensure SEC_CASE_SENSITIVE_LOGON is not set to FALSE. The more secure password version used in these modes only supports case-sensitive password checking.

For compatibility reasons, Oracle Database does not prevent setting SEC_CASE_SENSITIVE_LOGON to FALSE when SQLNET.ALLOWED_LOGON_VERSION_SERVER is 12 or 12a. However, doing so makes all accounts inaccessible.

If SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 11 or lower, Oracle recommends setting SEC_CASE_SENSITIVE_LOGON to TRUE, because the more secure password versions used in exclusive mode (when SQLNET.ALLOWED_LOGON_VERSION_SERVER is 12 or 12a) do not support case-insensitive passwords.

From a password version perspective, the 10G password version must be included.

Passwords have versions, visible in the DBA_USERS view under the PASSWORD_VERSIONS column.

Password version values include 10G, 11G, and 12C, controlled by SQLNET.ALLOWED_LOGON_VERSION_SERVER.

  • 10G refers to the older, case-insensitive Oracle password version.
  • 11G refers to the SHA-1 based password version.
  • 12C refers to the SHA-2 based SHA-512 password version.

Note that password versions are not the same as the database version.

To allow case-insensitive passwords (i.e., sec_case_sensitive_logon=FALSE) in database version 12c and later, the user's password version must include the 10G authentication protocol.

As mentioned, password versions are controlled by SQLNET.ALLOWED_LOGON_VERSION_SERVER. The following table shows the impact of this parameter on password versions:

SQLNET.ALLOWED_LOGON_VERSION_SERVER setting 8 11 12 12a
Server running in exclusive mode? No No Yes Yes
Generates 10G password version? Yes Yes No No
Generates 11G password version? Yes Yes Yes No
Generates 12C password version? Yes Yes Yes Yes

By default, Oracle Database uses exclusive mode to manage password versions, which does not allow case-insensitive passwords.

In a default installation, SQLNET.ALLOWED_LOGON_VERSION_SERVER is set to 12 to enable exclusive mode. Exclusive mode requires password-based authentication protocols to use case-sensitive password versions (11G or 12C) for accounts being authenticated.

Exclusive mode does not use the 10G password version used in earlier releases. After upgrading to Oracle Database 12c Release 2 (12.2), accounts using the 10G password version become inaccessible. This happens becuase the server runs in exclusive mode by default, and exclusive mode cannot use the old 10G password version to authenticate clients. The server has no password version to verify the client.

User accounts from version 10g use the 10G password version. Therefore, you should find user accounts using the 10G password version and reset passwords for those accounts. This will generate appropriate password versions based on the SQLNET.ALLOWED_LOGON_VERSION_SERVER setting as follows:

  • SQLNET.ALLOWED_LOGON_VERSION_SERVER=8 generates all three password versions: 10G, 11G, and 12C.
  • SQLNET.ALLOWED_LOGON_VERSION_SERVER=12 generates 11G and 12C password versions, removing the 10G version.
  • SQLNET.ALLOWED_LOGON_VERSION_SERVER=12a generates only the 12C password version.

Let's construct an example to see the effect of the sec_case_sensitive_logon parameter.

-- Check database version
SQL> select banner_full from v$version;

BANNER_FULL
----------------------------------------------------------------------------------------------------
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

1 row selected.

-- Check current value of sec_case_sensitive_logon
SQL> show parameter sec_case_sensitive_logon;

NAME                                       TYPE        VALUE
------------------------------------       ----------- ------------------------------
sec_case_sensitive_logon                   boolean     TRUE

-- Set password for SYSTEM user
SQL> alter user system identified by "system#1245";

User altered.

-- Query SYSTEM user details
SQL> SET LINESIZE 1080;
SQL> SET PAGESIZE 36;
SQL> COL USERNAME FOR A24;
SQL> COL ACCOUNT_STATUS FOR A16;
SQL> COL DEFAULT_TABLESPACE FOR A16;
SQL> COL TEMPORARY_TABLESPACE FOR A10;
SQL> COL PROFILE FOR A10;
SQL> COL LOCK_DATE FOR A20;
SQL> COL EXPIRY_DATE FOR A20;
SQL> COL PASSWORD_VERSIONS FOR A12;
SQL> SELECT USERNAME,
  2         ACCOUNT_STATUS,
  3         DEFAULT_TABLESPACE,
  4         TEMPORARY_TABLESPACE,
  5         PROFILE,
  6         TO_CHAR(LOCK_DATE,'YYYY-MM-DD HH24:MI:SS') AS LOCK_DATE,
  7         TO_CHAR(EXPIRY_DATE,'YYYY-MM-DD HH24:MI:SS') AS EXPIRY_DATE,
  8         PASSWORD_VERSIONS
  9  FROM DBA_USERS
 10  WHERE USERNAME=UPPER('&USERNAME')
 11  ORDER BY EXPIRY_DATE;
Enter value for username: system
old  10: WHERE USERNAME=UPPER('&USERNAME')
new  10: WHERE USERNAME=UPPER('system')

USERNAME             ACCOUNT_STATUS   DEFAULT_TABLESPA  TEMPORARY_ PROFILE    LOCK_DATE            EXPIRY_DATE          PASSWORD_VER
-------------------- ---------------- ---------------- ---------- ---------- -------------------- -------------------- ------------
SYSTEM               OPEN             SYSTEM            TEMP       DEFAULT                                             11G 12C

1 row selected.

-- Attempt to set case insensitive login
SQL> alter system set sec_case_sensitive_logon=false scope=both;

System altered.

Now, try to log in with the SYSTEM user from another session:

$ sqlplus system/system#1245

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Apr 25 17:16:28 2023
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

ERROR:
ORA-01017: invalid username/password; logon denied

If we set the parameter sec_case_sensitive_logon back to TRUE (this change takes effect immediately without restart):

SQL> show user;
USER is "SYS"
SQL> alter system set sec_case_sensitive_logon=true scope=both;

System altered.

Then verification shows everything works normally. So if you encounter ORA-01017 on a 12c/19c database, and you are sure the password is correct, check this parameter.

$ sqlplus system/system#1245

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Apr 25 17:20:28 2023
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Tue Apr 25 2023 09:54:37 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL>

Now let's test another approach: when sec_case_sensitive_logon is FALSE, we can control password versions to resolve ORA-01017.

SQL> show user;
USER is "SYS"
SQL> show parameter sec_case_sensitive_logon;

NAME                                       TYPE        VALUE
------------------------------------       ----------- ------------------------------
sec_case_sensitive_logon                   boolean     FALSE

Modify the sqlnet.ora file to include these settings:

SQLNET.ALLOWED_LOGON_VERSION_CLIENT = 10
SQLNET.ALLOWED_LOGON_VERSION_SERVER = 10

After modifying sqlnet.ora, you must reconnect SQL*Plus (existing connections will not use the new settings). Then run the following script:

SQL> alter user system identified by "system#1245";

User altered.

SQL> SET LINESIZE 1080;
SQL> SET PAGESIZE 36;
SQL> COL USERNAME FOR A16;
SQL> COL ACCOUNT_STATUS FOR A16;
SQL> COL DEFAULT_TABLESPACE FOR A16;
SQL> COL TEMPORARY_TABLESPACE FOR A10;
SQL> COL PROFILE FOR A10;
SQL> COL LOCK_DATE FOR A20;
SQL> COL EXPIRY_DATE FOR A20;
SQL> COL PASSWORD_VERSIONS FOR A12;
SQL> SELECT USERNAME,
  2         ACCOUNT_STATUS,
  3         DEFAULT_TABLESPACE,
  4         TEMPORARY_TABLESPACE,
  5         PROFILE,
  6         TO_CHAR(LOCK_DATE,'YYYY-MM-DD HH24:MI:SS') AS LOCK_DATE,
  7         TO_CHAR(EXPIRY_DATE,'YYYY-MM-DD HH24:MI:SS') AS EXPIRY_DATE,
  8         PASSWORD_VERSIONS
  9  FROM DBA_USERS
 10  WHERE USERNAME=UPPER('&USERNAME')
 11  ORDER BY EXPIRY_DATE;
Enter value for username: system
old  10: WHERE USERNAME=UPPER('&USERNAME')
new  10: WHERE USERNAME=UPPER('system')

USERNAME         ACCOUNT_STATUS   DEFAULT_TABLESPA  TEMPORARY_ PROFILE    LOCK_DATE            EXPIRY_DATE          PASSWORD_VER
---------------- ---------------- ---------------- ---------- ---------- -------------------- -------------------- ------------
SYSTEM           OPEN             SYSTEM            TEMP       DEFAULT                          2023-10-23 09:21:27 10G 11G 12C

1 row selected.

Now, log in with the SYSTEM user:

$ sqlplus system/system#1245

SQL*Plus: Release 19.0.0.0.0 - Production on Wed Apr 26 09:22:18 2023
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Tue Apr 25 2023 17:20:29 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL>

No ORA-01017 error this time.

Note: It is best to test with a non-SYSTEM account. The SYSTEM account is used here for convenienec in a test environment. For more information, refer to the Oracle support document "The new Exclusive Mode default for password-based authentication in Oracle 12.2 conflicts with case-insensitive password configurations. All user login fails with ORA-1017 after upgrade to 12.2 (Doc ID 2075401.1)".

References

  1. Oracle Net Services Reference - Parameters for the sqlnet.ora
  2. Doc ID 2075401.1

Tags: Oracle 19c sec_case_sensitive_logon ORA-01017 password case sensitivity

Posted on Thu, 07 May 2026 05:18:47 +0000 by greensweater

Hot Tags

©2026 Freaks City