It began with an error thrown by a linked server. The linked server is on our warehouse server and connects to our SSIS server using the “login’s current security context” option.
The error was not hugely helpful, and internet searches kept coming back with partial matches mostly with additional text. Our old friend “cannot generate SSPI context”.
What changed?
When a working thing becomes a non-working thing my first question is “what changed?” In this case nothing had changed on either server, but as I scanned through the recent changes I could see that Windows patching had happened the previous night.
Windows patching and what was starting to look like some sort of AD authentication error.
To test the emerging theory I switched the linked server to use SQL authentication and it worked as expected.
The culprit
Digging in to the patching it turned out that a bunch of domain controllers had been patched with this patch.
The known issues include the following:
“After installing the November security updates, released November 9, 2021 on your Domain Controllers (DC) that are running a version of Windows Server, you might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self.”
A hotfix was released five days later and this fixed our linked server issue.