Cannot generate sspi context (sql server)

  • steve.roberts_boohoo

    SSChasing Mays

    Points: 646

    Hi,

     

    Can't login to this SQL Server using Management Studio remotely - but can when RDPed to the server itself?

  • Sue_H

    SSC Guru

    Points: 90287

    There can be a lot of reasons for this error. MS has a troubleshooting guide for the error that goes through different scenarios:

    How to troubleshoot the "Cannot generate SSPI context" error message

    I would probably enable Kerberos logging first though and check the system event log for kerberos errors:

    How to enable Kerberos event logging

    Sue

  • andreas.kreuzberg

    SSCertifiable

    Points: 6045

    Hi,

    check your SPN in the windows directory. We had the same issue a view days before.

    There were some SPN missing, and some were wrong.

    Goodl luck,

    Kind regards,

    Andreas

  • cgumprich

    SSC Eights!

    Points: 822

    We're setting up new servers and ran into the same issue. I spent half a day tracking this down, because there are many possible causes. In my case I was able to run locally without issue, and I could connect remotely using SQL Authentication, but received that error when attempting to connect via Windows Authentication. Because our SQL services run under Managed Service Accounts, we knew the problem was related to Active Directory somehow.

    There were SPN-related errors in the Windows error log, and a search on the error code led me to this site which explained how to change the registered SPNs. From here we determined that the problem was that our new server had the same name as another, long-retired one, so there were duplicate SPNs in the Active Directory forest, and my new SQL instance couldn't register them for that reason.

    Our fix: change the name of the new server.

    But like I said, there are many possible causes. I've seen the same error message when my AD password expired.

  • Sue_H

    SSC Guru

    Points: 90287

    I've seen the error with clock drift. That why sometimes it can be faster to just enable Kerberos logging to find the errors and go from there. SSPI error would be related Kerberos so the logging should lead to the error.

    Sue

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply