It began with an error thrown by a linked server. The linked server is on our warehouse server and connects to our SSIS server using the “login’s current security context” option.
![](https://mattsql.files.wordpress.com/2021/11/error.jpg?w=1024)
The error was not hugely helpful, and internet searches kept coming back with partial matches mostly with additional text. Our old friend “cannot generate SSPI context”.
What changed?
When a working thing becomes a non-working thing my first question is “what changed?” In this case nothing had changed on either server, but as I scanned through the recent changes I could see that Windows patching had happened the previous night.
Windows patching and what was starting to look like some sort of AD authentication error.
To test the emerging theory I switched the linked server to use SQL authentication and it worked as expected.
The culprit
Digging in to the patching it turned out that a bunch of domain controllers had been patched with this patch.
The known issues include the following:
“After installing the November security updates, released November 9, 2021 on your Domain Controllers (DC) that are running a version of Windows Server, you might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self.”
A hotfix was released five days later and this fixed our linked server issue.