April 9, 2009 at 8:24 pm
Hi,
In one of our Production server, we added separate domain account in the SQL Server Services on day before yesterday. Previous it is run in Local System Account.
After that changes , some users are unable to connect SSMS (SQL Server Management Studio) the server from other servers. They receive an error "Cann't Generate SSPI Content" .
But they are able to connect SSMS on that server.
Problem is We are unable to connect the SSMS from other servers.
Then we revert back the changes, currently SQL Server Services are running under Local Account instead of separate domain account in the SQL Server Services.
Now it is working fine.
Please let me clarify is there any relation between SQL Server Service account and the error messages.
System Configutaion : The server is 8 Core Processors, and 64 bit. SQL Server 64 Enterprises Edition with SP2 is running in that system.
Regards,
S.Balavenkatesh
April 9, 2009 at 9:16 pm
When SQL Server is running as the Local System account, the server credentials are used to create an SPN record. When you modified the service account to use a domain account, that account does not have privileges to add/delete SPN records.
As a result, the old SPN record still exists but it is now incorrect. When a user tries to connect using Windows Authentication, the SPN record is found and since it is not correct the error messaqe you are seeing is generated.
You can fix this by doing one of the following:
1) Manually remove the incorrect SPN record. This will downgrade all Windows authenticated connects to use NTLM instead of Kerberos. In fact, without an SPN record - Kerberos authentication is not available.
2) Manually removed the bad SPN record and manually add the correct SPN record(s). This will allow for Kerberos authentication as long as it is setup correctly. You'll want to review the articles on this site on setting up Kerberos for further information.
3) Modify the domain account and grant the necessary privileges for the account the setup/manage SPN records. I don't have the site handy, but if you search Microsoft support they have an article on how to get this set up.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
April 10, 2009 at 4:58 pm
incidentally, exactly where did you change the sql service account credentials from local to domain user?
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply