Blog Post

The login is from an untrusted domain and cannot be used with Windows authentication

,

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed

I came across a scenario where a more unusual “SSPI Handshake errors” regularly appeared in the error log. In this blog, I am covering the cause of this issue and the solution we followed to fix it:

In the Sql Server error log the below entries was logged:

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed   [CLIENT: XX.XX.XXX.XX]

Error: 17806, Severity: 20, State: 14.
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: XX.XX.XXX.XX]

After checking the web.configs on the webserver with the above IP adress I found the C# application that was the cause of the error. First I tought this would be a easy fix with a simple security policy error. But after verifying the account's "domain\sqlaccount" had "Access this computer from the network” in "Local security policy (secpol.msc)". I was out of ideas.

Online I got the tips to change the faulty connection string on data source to use SQL authentication instead of windows authentication. But that is not good enough solution.

After falling back to my old wisdom. RTFEM - Read the Fucking Error Message. I got a hint from untrusted domain.

It was an issue when using DNS aliases to connect to a machine using a different domain name.
For example, if you have a SQL server on called: SqlServerAlfa on yourdomain.com - which is an Active Directory domain and another one: yourdomain.net. Maybe this is a left over from an earlier naming convention standard that you used or a merger.  To keep your old applications working when migrating to the new naming convention you have set up a DNS alias (CNAME) record for
database.yourdomain.net --> sqlserveralfa.yourdomain.com
You'll be able to connect to sqlserveralfa.yourdomain.com using Windows integrated security but won't be able to connect to database.yourdomain.net even though it's the same server because the domain name doesn't match your AD domain! This will cause the error in the error log.

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads