January 10, 2019 at 12:30 pm
We setup a server using a virtual service account for the first time a few weeks ago. SQL 2016 Standard running on Windows Server 2016. All other servers are setup using domain accounts.
The server was inaccessible today giving the error:
"The target principal name is incorrect. Cannot generate SSPI context"
Server was also renamed a few weeks ago. Originally built on Win 2012, and we created a new one on Win 2016 then renamed it and the old one was discarded. This may in fact be part of the issue, but its been a few weeks so everything seemed ok.
The issue was fixed with a reboot but not sure why or how and concerned it will happen again.
On the reboot/restart the SQL logs showed this message:
The SQL Server Network Interface library could not deregister the Service Principal Name (SPN) [ MSSQLSvc/MyServerName.mydomain.com:1433 ] for the SQL Server service. Error: 0xffffffff, state: 63. Administrator should deregister this SPN manually to avoid client authentication errors.
Not sure what this means, but it only showed when the server started to reboot and it came back up with no issues and everyone can connect.
According to this article the virtual account is recommended as long as there is no need for the service account to access external resources, which there is not.
A while back i did ask about using Domain vs MSA vs VSA for the services, the MSA seems to be the top choice however we didn't have the need to hit external resource so the VSA seems like the right choice.
Any thoughts on this error or thoughts on using a VSA for SQL services?
Viewing 0 posts
You must be logged in to reply to this topic. Login to reply