Post reply

Cannot generate SSPI context

  • March 5, 2007 at 1:06 am

    #119078

    Hi All

    When connecting to one of my servers, I get the following error:

    Cannot establish a connection to server "MyServer"

    Cannot generate SSPI context.

    We have resfreshed, restarted our servers, even dropped our accounts and recreated it.

    Am I missing something? Any help, PLEASE....?

    Anchelin

  • March 5, 2007 at 2:23 am

    #693039

    Have you followed the steps outlined here: http://support.microsoft.com/kb/811889?

    http://blogs.msdn.com/sql_protocols/archive/2005/10/15/481297.aspx might be worth trying first though.

    - James

    --
    James Moore
    Red Gate Software Ltd

  • March 5, 2007 at 5:18 am

    #693057

    You will get this when a connection is being made using TCP/IP, and there is no (or missing) DNS record or Service Principal Name. Both are required to validate a Kerberos session.

    If using SQL 2000, make sure you are at SP4 (build 2187 preferably).

    Verify there is a valid FQDN DNS record for the server:

    - nslookup server.domain.name

    Verify that the computer object in Active Directory has "Trust computer for delegation" enabled.

    Use either LocalSystem or a domain account as the service account. Do not use a local user account on the server to start SQL or SQL Agent.

    If using LocalSystem, the Service Principal Name (SPN) should be created automatically on the _computer_ object. To verify the SPN exists:

    - setspn -L servername

    If using a domain user account, it is likely not (and should not be) a domain administrator. The SPN will have to be created manually on the _user_ object. Only a domain admin (or someone who has been delegated rights to modify the Public Information properties of the user account) can make changes to SPNs. There should be at least two:

    - setspn -A MSSQLSvc/server:portnum domain\account

    - setspn -A MSSQLSvc/server.domain.name:portnum domain\account

    I would not recommend this, but you could force Named Pipes for the connection (provided it is enabled on the SQL Server). This can be done by either:

    - disabling TCP/IP at the SQL Server

    - creating an alias for the server in the Client Network Utility (for each machine affected)

    The SETSPN utility is available on Windows 2003 SP1 servers, but can also be downloaded. Search for it on Microsoft's website.

    RRK

  • March 6, 2007 at 2:23 am

    #693263

    Check the event logs for w32Time errors. Fix the time synchronisation and your problem should go away.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply