March 28, 2012 at 7:43 am
Hi Guys
SQL 2012 RC0 installed on 2 servers.
From Server 2 I can connect to the instance Server 1 via Management Studio with no issues.
From Server 1 when I try to connect to the Instance on Server 2 - I get an error: Cannot generate SSPI Context.
Any Ideas
Thanks
March 28, 2012 at 11:27 pm
Is Kerberos involved?
How to troubleshoot the "Cannot generate SSPI context" error message
Need an answer? No, you need a question
My blog at https://sqlkover.com.
MCSE Business Intelligence - Microsoft Data Platform MVP
March 29, 2012 at 12:07 am
Koen Verbeeck (3/28/2012)
Is Kerberos involved?How to troubleshoot the "Cannot generate SSPI context" error message
As in Windows Authentication?
March 29, 2012 at 12:11 am
As in delegation of Windows Authentication over multiple server hops?
Need an answer? No, you need a question
My blog at https://sqlkover.com.
MCSE Business Intelligence - Microsoft Data Platform MVP
March 29, 2012 at 12:17 am
Koen Verbeeck (3/29/2012)
As in delegation of Windows Authentication over multiple server hops?
How can I check?
March 29, 2012 at 12:20 am
derekr 43208 (3/29/2012)
Koen Verbeeck (3/29/2012)
As in delegation of Windows Authentication over multiple server hops?How can I check?
Are you using Active Directory?
Need an answer? No, you need a question
My blog at https://sqlkover.com.
MCSE Business Intelligence - Microsoft Data Platform MVP
March 29, 2012 at 12:22 am
Koen Verbeeck (3/29/2012)
derekr 43208 (3/29/2012)
Koen Verbeeck (3/29/2012)
As in delegation of Windows Authentication over multiple server hops?How can I check?
Are you using Active Directory?
Yes
March 29, 2012 at 12:25 am
Go through the stackoverflow link I provided, try to figure out of AD uses Kerberos for authentication (it supports Kerberos and NTLM). If yes, go through the KB article and see if that fixes the issue.
Need an answer? No, you need a question
My blog at https://sqlkover.com.
MCSE Business Intelligence - Microsoft Data Platform MVP
March 29, 2012 at 12:27 am
Koen Verbeeck (3/29/2012)
Go through the stackoverflow link I provided, try to figure out of AD uses Kerberos for authentication (it supports Kerberos and NTLM). If yes, go through the KB article and see if that fixes the issue.
I'll go through the link provided
Thanks
March 30, 2012 at 4:13 am
Koen Verbeeck (3/29/2012)
Go through the stackoverflow link I provided, try to figure out of AD uses Kerberos for authentication (it supports Kerberos and NTLM). If yes, go through the KB article and see if that fixes the issue.
Hi
I noticed this in the Windows System Event Logs:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server: (this gives me my user name and not the server name, is this normal?).
The target name used was MSSQLSvc/servername. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain) is different from the client domain (domain), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Any Ideas?
Thanks
March 30, 2012 at 4:53 am
No, I don't know a thing about Kerberos. And I like to keep it like that 🙂
Take contact with the administrators at your firm.
Need an answer? No, you need a question
My blog at https://sqlkover.com.
MCSE Business Intelligence - Microsoft Data Platform MVP
March 30, 2012 at 5:01 am
Koen Verbeeck (3/30/2012)
No, I don't know a thing about Kerberos. And I like to keep it like that 🙂Take contact with the administrators at your firm.
Thanks
I ran the following command from the Server I'm trying to connect from: setspn -L(Supposed to list all registered SPN's) server_name and I ran the same command from the Server I am trying to connect to, I just replaced the server_name
The results were different, the server I am trying to connect from had a few entries for MSSQLSvc/servername.domain:port_number and the server I am trying to connect doesn't have these registered.
I figure that I need to register the SPN on the server, I dont know what affect this will have on AD etc....
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply