"Cannot Generate SSPI Context" when using account in another domain

  • I have an AD forest with three child domains. D1 and D2 have a two-way trust. D3 is in the DMZ. D3 trusts D1 and D2, but they do not trust D3. Web app is running on D3, using credentials of a limited D2 account.

    SQL 2005 Server SP2 is in D1. Account defined in D2 cannot authenticate to server. Troubleshooting ensues.

    From a command line, ODBCPING -S generates "Cannot Generate SSPI Context" error for accounts in D2. This happens from wherever I run ODBCPING. Even if I run it on a machine in D1, using Run As to use credentials of a D2 account.

    D1 accounts have no problem connecting, whether on machines in D1, D2, or D3.

    Yet, I have another identical SQL Server in D1 that does not suffer from this issue.

    Any clue? I am really stuck. Is it possible there is a malformed SPN in D2?

  • That would be my first guess - check/create SPNs for your SQL Server(s). I had to do it recently with the setspn utility (different circumstances but same error message). Cleared my problem up.



    Scott Duncan

    MARCUS. Why dost thou laugh? It fits not with this hour.
    TITUS. Why, I have not another tear to shed;
    --Titus Andronicus, William Shakespeare


  • I'd look at the SPN and be sure you don't have timing issues (system time differences) between the two domain servers and the SQL server host.

  • This problem is KILLING me. SPNs are OK, I have deleted and re-created the SPN several times. It's making me nuts.

    D2 still gets "Cannot Generate SSPI context" even when ODBCPING-ing from a macine in D1. Same machine, a D1 user can ODCPING. Server time is all good.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply