How to resolve ORA-24247: network access denied by access control list (ACL)

If you are trying to use oracle to invoke a web service or to connect to a smtp service and you get the following error:

ORA-24247: network access denied by access control list (ACL)

The cause according to oracle is that

“No access control list (ACL) has been assigned to the target host or the privilege necessary to access the target host has not been granted to the user in the access control list.”

This error is common after an upgrade to Oracle 11. before oracle 11, using network resources via packages like utl_tcp, utl_smtp, utl_mail, utl_http, and utl_inaddr exposed the database to a serious security threat because once the user is granted with permission to use those packages there was no other limitation to connect to any computer.

Since Oracle 11, oracle introduced a fine grained access to network services using access control lists (ACL).

This new feature gave the DBA a better control on which user can connect to which computer

In order to solve ORA-24247 you will need to:

1) Create an acl (if it is not already created)

2) Add privileges to the user using the network resources

3) Assign the acl to a specific address

1) run the following query to check if an ACL exists

SELECT *FROM dba_network_acls;

If the computer you are trying to connect to is not listed under host, you will need to create an acl:

dbms_network_acl_admin.create_acl (
acl => ‘http_permissions.xml’, — or any other name
description => ‘HTTP Access’,
principal => ‘SCOTT’, — the user name trying to access the network resource
is_grant => TRUE,
privilege => ‘connect’,
start_date => null,
end_date => null

This will create the acl and grant SCOTT the connect privilege.

2) IF the acl exists run the following query to verify the user is granted with the appropriate privilege
SELECT *FROM dba_network_acl_privileges
where principal='SCOTT';

In order to use UTL_TCP, UTL_HTTP, UTL_SMTP, and UTL_MAIL the user will need the connect privilege
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl => 'http_permissions.xml',
principal => ‘SCOTT’,
is_grant => true,
privilege => ‘connect’);

If you need to resolve a host name from a host IP you will need the resolve grant as well.
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl => 'http_permissions.xml',
principal => ‘SCOTT’,
is_grant => true,
privilege => ‘resolve’);

3) The final step is to assign the acl to a specific target
dbms_network_acl_admin.assign_acl (
acl => ‘http_permissions.xml’,
host => ‘NETWORK ADDRESS’, /*can be computer name or IP , wildcards are accepted as well for example – ‘*’*/
lower_port => 80,
upper_port => 80

It is important to note that only one ACL can be assigned to any host computer. If you assign a new acl to a target the old acl gets unassigned.

However, the old acl is not dropped. So, this could cause confusion because even if the acl was already assigned, it is possible that a new assignment overrode it.


How to start “Interactive Service Detection” service on Windows 8/2012

Attempting to start the Interactive Service Detection (UI0Detect) service on Windows 8 and Windows Server 2012 can fail with the incomprehensible “Error 1: Incorrect function” message:

This is because Microsoft has disabled interactive services in these new operating systems!

Fortunately, it is easy to re-enable interactive services by editing the registry:

  1. start regedit
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows on the left side
  3. On the right, double-click the NoInteractiveServices entry and change its value from 1 to 0
  4. Click OK to record your change
  5. Close the registry editor

Autoruns for Windows

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

AutorunsHide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

You’ll probably be surprised at how many executables are launched automatically!


Compiling .NET 1.1 Projects In Visual Studio 2008


After having put my .NET 1.1 application running on the .NET 2.0 runtime (^), I’m planning on migrating it to.NET 2.0, but not all at once.

Because I don’t want to have 2 solutions (one on Visual Studio 2003 for the .NET 1.1 assemblies and another onVisual Studio 2008 for the .NET 2.0 assemblies) I decide to try using MSBee and have only one Visual Studio2008 solution.

MSBee has a CodePlex project. You can download it from there or from Microsoft Downloads. Because the build on Microsoft Downloads seemed to be the most stable one, that was the one I downloaded and installed. The package comes with a Word document that explains all that needs to be done.

Before you can install and use MSBee you’ll need to install the .NET 1.1 SDK.

Having everything installed, I just opened the Visual Studio 2003 solution in Visual Studio 2008 and let it convert the solution and projects (near 30).

After the conversion, for building the projects with the .NET 1.1 C# compiler, the project files need to be edited to add the override the default targets with the MSBee ones by adding the MSBee imports after the default imports for the language:

<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
<Import Project="$(MSBuildExtensionsPath)\MSBee\MSBuildExtras.FX1_1.CSharp.targets" />

Another change needed (for Visual Studio 2008 – I don’t know if it was needed for Visual Studio 2005) is the tools version. MSBee needs version 2.0. To change that you’ll have to change the ToolsVersion attribute of the project’s root element:

<Project DefaultTargets="Build" ToolsVersion="2.0" xmlns="">

MSBee likes has own idea about output paths and I had set up custom output paths on my project. There’s information about this on the documentation but I decided to simply comment that out of the $(MSBuildExtensionsPath)\MSBee\MSBuildExtras.FX1_1.Common.targets file:

<!--<span class="code-comment"> Paulo
  <When Condition=" '$(BaseFX1_1OutputPath)' == '' ">
      <OutputPath Condition=" !HasTrailingSlash('$(OutputPath)') ">$(OutputPath)\</OutputPath>

<!--<span class="code-comment"> Paulo
  <IntermediateOutputPath Condition=" '$(PlatformName)' == 'AnyCPU' ">$(BaseIntermediateOutputPath)$(Configuration)\</IntermediateOutputPath>
  <IntermediateOutputPath Condition=" '$(PlatformName)' != 'AnyCPU' ">$(BaseIntermediateOutputPath)$(PlatformName)\$(Configuration)\</IntermediateOutputPath>

  <OutputPath Condition=" '$(PlatformName)' == 'AnyCPU' ">$(OutputPath)$(Configuration)\</OutputPath>
  <OutputPath Condition=" '$(PlatformName)' != 'AnyCPU' ">$(OutputPath)$(PlatformName)\$(Configuration)\</OutputPath>
  <- Once OutputPath is determined, set OutDir to its value. ->

This all seemed to work fine on my old Windows XP machine without any third party Visual Studio plug-ins, but when I tried it on my Windows Vista X64 machine, I came across some problems:

  • License Compiler

    Because I’m using Infragistics‘ controls, there’s a licences.licx file and the build will compile it. And that proved to be a problem.

    MSBee copies all the files it needs to the build process to a temporary folder, builds it in there and then copies the result to the output path.

    LC.exe seemed to never be able to find all the assemblies it needed. Searching seemed to me to be an old issue (even from the .NET 1.1 times) and the solution always pointed to not compile the license file. So, I commented that part out of the $(MSBuildExtensionsPath)\MSBee\MSBuildExtras.FX1_1.Common.targets file:

        Name="CompileLicxFiles"  Condition="'@(_LicxFile)'!=''"
      <!--<span class="code-comment">
        <Output TaskParameter="OutputLicense" ItemName="CompiledLicenseFile"/>
        <Output TaskParameter="OutputLicense" ItemName="FileWrites"/>
  • Resource Generator

    Although this worked fine on the command line, inside Visual Studio ResGen.exe would throw some error and needed to be closed.

    Looking at the Windows Application Log I found out this:

    Faulting application Resgen.exe, version 1.1.4322.573, time stamp 0x3e559b5f, faulting module MockWeaver.dll, version, time stamp 0x4adb072e, exception code 0xc0000005, fault offset 0x00018fac, process id 0x4a50, application start time 0x01ca53c14488a2fb.

    MockWeaver.dll belongs to Isolator and I just disable it when building inside Visual Studio. I was hoping to start using Isolator on this project, but, for now, I can’t.

I hope this can be of some help and, if you need more, you’ll probably find it at the MSBee’s CodePlex forum.

The bottom line is: You don’t need Visual Studio 2003!

Install .Net 1.1 Framework on Windows 2008 R2

Link 1  Link 2

My Notes:
1. After installation completed, ImagePath ASP.Net State Service will be changed, you can restore it to: %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
2. You may need to add Hanlder Mapping for 1.1 Isapi

Step 1: Install IIS and IIS 6 Metabase Compatibility

Open Server Manager and click on Roles.  In the right pane click Add Roles, click Next on the Before You Begin Screen. You will be presented with a screen for selecting the Roles. Select Web Server (IIS) and click Next and Next again.

You will be presented with additional components to install, for our selection pick Application Development and Management Tools. The Management Tools selection will add the IIS 6 Metabase Compatibility needed for .NET 1.1. Click next when the selections are completed and Install at the confirmation screen. Click close when completed.

Step 2: Install the .NET Framework v1.1 and .NET Framework v1.1 SP1

Framework v1.1, v1.1 SP1 and ASP.NET update can be found at  can be found at  Install Framework v1.1, SP1, and ASP.NET’s security update to SP1:

When you install .NET Framework Version 1.1, and SP1 for .NET Framework Version 1.1, you’ll see the following dialog.  Click Run program.

Next install .NET Framework Version 1.1 Service Pack 1. Double-click on NDP1.1sp1-KB867460-X86 to start the installation. As with .NET Framework Version 1.1 you will receive the Program Compatibility popup, click Run Program to continue.

Finally, install ASP.NET Security update by double-clicking in NDP1.1sp1-KB886903-X86 to start the installation. As with .NET Framework Version 1.1 you will receive the Program Compatibility popup, click Run Program to continue.

note: If you do not install Framework v1.1 SP1, you may run into Data Execution Prevention errors with messages like “IIS Worker Process has stopped working”.  This is expected.  Installing .NET Framework v1.1 SP1 will fix this.

Step 3: Enable ASP.NET v1.1 ISAPI Extension

Enable ASP.NET v1.1 ISAPI as an allowed ISAPI extension.  To do this, open “IIS Manager” administration tool.  In the features view, click on the “ISAPI and CGI Restrictions” feature.  In the actions pane, click “add”

You will see ASP.NET v1.1.4322 with the restriction of Not Allowed. We need to allow this feature by clicking on it and clicking Allow in the actions pane.

You can also do by running the following command line:

%windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis -enable

Step 4: Add IgnoreSection Handler to v1.1 machine.config

ASP.NET v1.1 will throw runtime exceptions out of the box if you have IIS configuration in the web.config files that are read by your ASP.NET v1.1 applications.  To make ASP.NET v1.1 ignore IIS configuration sections, open the Framework v1.1 machine.config file (%windir%\Microsoft.NET\Framework\v1.1.4322\config\machine.config) and add the following section entry just above the bottom tag for the <configSections> element:

<section name=”system.webServer” type=”System.Configuration.IgnoreSectionHandler,
System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ />

Step 5: Move Site or Application to ASP.NET 1.1 Application Pool

During installation, Framework v1.1 creates an application pool called “ASP.NET 1.1″ that is configured to load Framework v1.1 upon startup. You can also do this from the command line by navigating to the %windir%\system32\inetsrv directory and running the following command line:

appcmd set app “Default Web Site/” /applicationPool:”ASP.NET 1.1″

If you would like to create a new application pool that’s configured to load Framework v1.1, you can also do this from the command line by navigating to the %windir%\system32\inetsrv directory and running the following command line:

appcmd add apppool /name:”NewPool”  /managedRuntimeVersion:”v1.1″

ORA-12154 while connecting oracle database with OracleClient and Oracle 10g Client from vs2008 web project in Win7/2008 x64

When you opening connection to Oracle database in web project of Visual Studio 2008, you always get below error:
ORA-12154: TNS:could not resolve the connect identifier specified

But your tnsnames.ora is correct, sqlplus or other projects (like console/win form) can connect successfully.

Upgrade Oracle 10g Client to or upper to fix this strange bug.