The SSPI context error definitely indicates authentication is being attempted using Kerberos.
Since Kerberos authentication SQL Server’s Windows Authentication relies on Active Directory, which requires a trusted relationship between your computer and your network domain controller, you should start by validating that relationship.
You can quickly check that relationship, thru the following Powershell command Test-ComputerSecureChannel.
Test-ComputerSecureChannel -Verbose
If it returns False, you must repair your computer Active Directory secure channel, since without it no domain credencials validation is possible outside your computer.
You can repair your Computer Secure Channel, thru the following Powershell command:
Test-ComputerSecureChannel -Repair -Verbose
If the above doesn’t work (because your domain credentials don’t work because the machine isn’t trusted) you can use NETDOM RESET instead from an elevated cmd.exe (not PowerShell) prompt:
NETDOM RESET %COMPUTERNAME% /UserO:domainAdminUserName /Password0:* /SecurePasswordPrompt
(Yes, the command-line arguments really do have an O (Capital-«Oh», not zero 0). The /Password0:* /SecurePasswordPrompt option will use a credential popup instead of having you put your password directly in the command-line, which you must never do).
Check the security event logs, if you are using kerberos you should see logon attempts with authentication package: Kerberos.
The NTLM authentication may be failing and so a kerberos authentication attempt is being made. You might also see an NTLM logon attempt failure in your security event log?
You can turn on kerberos event logging in dev to try to debug why the kerberos is failing, although it is very verbose.
Microsoft’s Kerberos Configuration Manager for SQL Server may help you quickly diagnose and fix this issue.
Here is a good story to read: http://houseofbrick.com/microsoft-made-an-easy-button-for-spn-and-double-hop-issues/
Обновлено 18.06.2017
MS SQL 2014
Всем привет, сегодня расскажу как решается ошибка неверное имя целевого субъекта. Невозможно создать контекст SSPI в MS SQL 2014. Есть сервер на нем хорошо работает SL, есть рабочая машина на которой установлена Management Studio, через которую подключаются к серверу, и при попытке подключения выскакивает данная ошибка. Данная ошибка связанна с отсутствием SPN для конкретного сервера. Рассмотрим решение ниже., оно займет у нас буквально пару минут.
Неверное имя целевого субъекта. Невозможно создать контекст SSPI
В данном случае вам нужно зарегистрировать SPN для вашего сервера, как это делается читайте в статье Как настроить SPN (Service Principal Name) в SQL Server и динамическая регистрация SPN.
Материал сайта pyatilistnik.org
Июн 18, 2017 18:11
by Tashreef Shareef
Tashreef Shareef is a software developer turned tech writer. He discovered his interest in technology after reading a tech magazine accidentally. Now he writes about everything tech from… read more
Updated on October 12, 2020
- The error cannot generate SSPI context can prevent the admin and users from accessing their SQL server.
- In this article, we explore the three ways to fix this error to get you back online.
- If the issue persists, check out our dedicated SQL Server page for more fixes.
- You can also explore our Troubleshooting Hub for more helpful solutions.
XINSTALL BY CLICKING THE DOWNLOAD FILE
This software will simplify the process by both searching and updating your drivers to prevent various malfunctions and enhance your PC stability. Check all your drivers now in 3 easy steps:
- Download Outbyte Driver Updater.
- Launch it on your PC to find all the problematic drivers.
- Afterward, Click Update & Apply Selected to get the latest driver versions.
- OutByte Driver Updater has been downloaded by 0 readers this month.
The target principal name is incorrect – cannot generate SSPI context error occurs when trying to make a connection on SQL Server from a remote server with a Windows account.
This is a generic error. It can be triggered due to many reason including an outdated password, clock drift, failure to register an SPN, or Active Directory access permission.
In this article, we take a look at a few troubleshooting steps to help you resolve the cannot generate SSPI context error on the Windows server.
How can I fix the target principal name is incorrect – cannot generate SSPI context error?
1. Change SQL Service User
Try changing the SQL SERVICE user with the one that is Domain Admin. When you shut down the service, you need an account with privileges to create a new SPN (Service Principal Name).
When a service starts without it, it will trigger the error. Changing the privileges of your system account can fix the error.
However, it is always recommended for service accounts to give them the least privileges due to security reasons.
Remove the SPN entries from AD Users and Computers
- Open the Active Directory User and Computers in Advanced View.
- Look for the SSPN entries for MSSQL Svc.
- Remove all the entries associated with MSSQL Svc.
- Close AD User and Computers and check for any improvements.
- Change Active Directory permission.
2. Check your password
The error cannot generate SSPI context can occur due to password issues. If you had recently changed your password, but haven’t logged out of your account, it can trigger the error.
Try logging out and then signing in with the new password to fix the error.
In other instances, the issue could be due to password expiration. Change the expired password and login with the new credentials to see if that resolves the error.
3. Change Active Directory permission
- Run Adsiedit.msc and from the Run dialog box.
- In the Active Directory Service window, expandDomain [YourDomainName], then expand DC = RootDomainName, and then CN = Users.
- Right-click on CN= [YourAccountName] and select Properties.
- Open the Security tab.
- Click on Advanced option.
- Select any one of the SELF rows.
- Click Edit and then the Open Permission Entry window.
- Here, make sure the Principal is set to SELF, Type is set to Allow, and Applied to is set to This Object Only.
- In the Properties section, select the following.
Read servicePrincipalName
Write servicePrincipalName - Click OK to apply the changes and exit.
Try establishing a new connection and check if they cannot generate SSPI context error is resolved. Make sure you restart the SQL Services that are associated with the current account to apply the changes.
Changing the Active Directory permission is a safe option than changing the SQL server user. However, before you proceed to change the permission, make sure the problem is triggered due to permission issues.
Log in to the server where your SQL instance is running and then check the error logs to check if the error is triggered due to permission problems.
The error in the log will look something like this:
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/servername.domainname.net:1433 ] for the SQL Server service.
Windows return code: 0x2098, state: 15. Failure to register an SPN might cause integrated authentication to use NTLM instead of Kerberos.
This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
The error cannot generate SSPI context can occur due to permission as well as expired credentials issues. Changing the password and permission should help you fix the error and log back into your SQL server.
Still experiencing troubles? Fix them with this tool:
SPONSORED
Some driver-related issues can be solved faster by using a tailored driver solution. If you’re still having problems with your drivers, simply install OutByte Driver Updater and get it up and running immediately. Thus, let it update all drivers and fix other PC issues in no time!
- Remove From My Forums
-
Question
-
Hi All,
I am stuck in a strange issue post installation of SQL Server 2017 Standard.
I installed a Core licensed SQL Server 2017 Standard Edition on a Server with Mixed Mode Authentication. Set up was executed successfully.
While I am connected to my network through VPN Connection. I am able to connect with Server through SQL Authentication However with Windows Authentication it does not connects and fails out with message as «The target principal name is incorrect.
Cannot generate SSPI Context.»However when i tried to connect through LAN with Windows Authentication it let me connect without any issues.
Can you please help me in resolving the connectivity issue over VPN for Windows Authentication.
Below are the error details
===================================
The target principal name is incorrect. Cannot generate SSPI context. (.Net SqlClient Data Provider)
——————————
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=0&LinkId=20476——————————
Server Name: 000.000.00.00
Error Number: 0
Severity: 11
State: 0
Procedure: GenClientContext——————————
Program Location:at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance,
SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager).
.
.
.
Thank You.
Best Regards, Sunil Sharma
-
Edited by
Thursday, April 23, 2020 12:25 PM
-
Changed type
pituachMVP
Friday, April 24, 2020 5:58 PM
not a question -
Changed type
pituachMVP
Friday, April 24, 2020 5:59 PM
mistakenly changed the type before
-
Edited by
Answers
-
Hi Sunilsharma,
>The target principal name is incorrect. Cannot generate SSPI context. (.Net SqlClient Data Provider)
This is a typical Kerberos authentication failure. There are various reasons for this error. The most common one is the SPN problem. Many cases of this error have been found due to abnormal KDC operation or abnormal TGS service. You can reference: how-to-troubleshoot-the-cannot-generate-sspi-context-error-message
You can also try workaround as next:
If you use your domain account to log in, you should grant the account rights of Read and Write SPN, and then restart the server with this account.
1.Make sure TCP/IP Protocols are enabled and configured correctly;
2.Close the firewall;
3.In your DC, run->”adsiedit.msc”
4.Assume that the start account is YXAdministrator, Administrator->Properties->Security->Advanced->Permissions->Add->Select a principle->Input “SELF”->OK (as next screenshot shows)5.Choose “Read serverPrincipalName” and “Write serverPrincipalName” (as next screenshot shows)
6.Use this account restart your server and browser;
Note:
You need to note that when solving Kerberos-related problems, you may encounter this situation: clearly all the conditions required for Kerberos are configured.
OK, but you still get Kerberos errors or NTLM errors when you test the connection. At this time, you may wish to try the following two tricks:(1) There may be multiple DCs in a domain environment, and the series of changes you make during the investigation will only affect one of the DCs. maybe
You can use another DC to connect the client to SQL Server, but this DC has not been synchronized to the series of changes you made before.
At this time, you do not need to wait for automatic synchronization between DCs to occur, you can run the following statement to force synchronization between DCs:
Repadmin / syncall(2) Credential Cache may also be a problem. Credential Cache is used by Kerberos to cache authentication information on this machine. It mainly contains TGT and Session tickets. Since Credential Cache has a life cycle (usually 10 hours) on the machine, if the
client has received incorrect authentication information and cached it, it will use this information to access SQL Server until the cache expires. So you will always get errors. The solution is to clear the Credential Cache by any of the following three methods.
1) Use the klist.exe purge command
2) Use kerbtray tool
3) Restart the entire machineBest Regards.
yuxi
MSDN Community Support
Please remember to click «Mark as Answer» the responses that resolved your issue, and to click «Unmark as Answer» if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to
MSDN Support, feel free to contact MSDNFSF@microsoft.com-
Proposed as answer by
pituachMVP
Friday, April 24, 2020 6:01 PM -
Marked as answer by
Sunilsharma
Thursday, April 30, 2020 3:36 PM
-
Proposed as answer by
-
What
yuxi666 mentioned is really good!What i can add… check if the SPN for SQL has been added to the SQL Service account.
1. On your SQL Server, open SQL Server Configuration Manager
2. Look at the Log On As column for the SQL Server service.
3. Open a command prompt and type the following command:
setspn -l [Log on account]
For example, if the log on account is Domainsvc-sql the command line would be
setspn -l Domainsvc-sqlIf the account is NT AuthorityLocal System, the account is the computer account. Then the command line would be
setspn -l [SQL_Computername]The SQL SPN should look like this: MSSQLSvc/[SQLServerName]:Port
If the SPN is not configured, that should explain why you receive the error Cannot generate SSPI context
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver15
hth
This posting is provided AS IS without warranty of any kind
-
Proposed as answer by
pituachMVP
Friday, April 24, 2020 6:02 PM -
Marked as answer by
Sunilsharma
Thursday, April 30, 2020 3:36 PM
-
Proposed as answer by
-
Hi Sunilsharma,
This may be one network issue.
Could you please upload the error log here?
the path is:
Program FilesMicrosoft SQL ServerMSSQL.nMSSQLLOGERRORLOGandERRORLOG.nPlease check whether this is helpful:
trusted-connection-to-sql-fails-after-connecting-to-a-vpn, connect-to-sql-via-windows-authentication-over-vpn
Best Regards.
yuxi
MSDN Community Support
Please remember to click «Mark as Answer» the responses that resolved your issue, and to click «Unmark as Answer» if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to
MSDN Support, feel free to contact MSDNFSF@microsoft.com-
Marked as answer by
Sunilsharma
Thursday, April 30, 2020 3:25 PM
-
Marked as answer by
I am working on a .NET application where I am trying to build the database scripts. While building the project, I am getting an error «Cannot create SSPI context.». This error is shown in the output window (inside VS2008 screen) and the building process failed. Please help on this. SQL Server is configured to work on Windows authentication & running as network service (these two things are must for my project).
Please help on this. This error is not seems to be consistent. It was fixed in the past by restarting the machine, changing the system time to match the domain time and some suggestions in the net. Please help on this.
Brian Webster
29.8k48 gold badges150 silver badges225 bronze badges
asked Nov 28, 2009 at 13:41
2
It sounds like your PC hasn’t contacted an authenticating domain controller for a little while. (I used to have this happen on my laptop a few times.)
It can also happen if your password expires.
Tony L.
17k8 gold badges69 silver badges65 bronze badges
answered Nov 28, 2009 at 13:48
Jeremy McGeeJeremy McGee
24.7k10 gold badges62 silver badges95 bronze badges
7
It’s quite a common error with a variety of causes: start here with KB 811889
- What version of SQL Server?
- And Windows on client and server?
- Local or network SQL instance?
- Domain or workgroup? Provider?
- Changing password
- Local windows log errors?
- Any other apps affected?
answered Nov 28, 2009 at 13:48
gbngbn
419k81 gold badges582 silver badges672 bronze badges
3
This error usually comes when the Windows user account is expired and he is already logged in with old password.
Just ask the user to restart his machine and check if the password is expired or he has changed the password.
Hope this helps!!!!!
answered Sep 13, 2016 at 10:17
I had the same issue after changing the user which was running the MSSQLSERVER-Service
To solve incorrect SPNs with SQL Server I used this tool
http://www.microsoft.com/en-us/download/details.aspx?id=39046 — Microsoft® Kerberos Configuration Manager for SQL Server
In my case it worked pretty well.
answered Dec 24, 2014 at 22:24
Erik MandkeErik Mandke
1,5773 gold badges23 silver badges30 bronze badges
First thing you should do is go into the logs (ManagementSQL Server Logs) and see if SQL Server successfully registered the Service Principal Name (SPN). If you see some sort of error (The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service) then you know where to start.
We saw this happen when we changed the account SQL Server was running under. Resetting it to Local System Account solved the problem. Microsoft also has a guide on manually configuring the SPN.
answered Mar 19, 2014 at 12:23
AndrewAndrew
8,9818 gold badges45 silver badges59 bronze badges
1
If you are hosting on IIS, make sure the password for the AppPool account has not changed.
If it has, then follow these steps:
- Go to IIS
- Click on Application Pools
- Select the AppPool of your application
- Right Click on your AppPool
- Advanced settings
- Identity
- Update Password
- Restart AppPool
caesay
16.8k14 gold badges96 silver badges159 bronze badges
answered Oct 16, 2015 at 19:09
MaheshMahesh
3,6371 gold badge39 silver badges48 bronze badges
0
I resolved my Cannot Generate SSPI Context error by using the SQL Server Configuration Manager. Since I have SQL Server native client 10.0 on my machine, the connection to the server is trying to use named pipes (or shared memory?). Other machines could run my app with no problem. When I looked at the configuration manager, named pipes and shared memory were both enabled (good). However, under alias, the name of the computer was there with TCP forced. Since I didn’t know what effect changing this would have, I changed the connection string in my program to use <servername>.<domainname> instead. Fixed.
Adi Inbar
11.9k13 gold badges55 silver badges69 bronze badges
answered Dec 7, 2012 at 21:29
1
The «Cannot Generate SSPI Context» error is very generic and can happen for a multitude of reasons. Is just a cover error for any underlying Kerberos/NTLM error. Gbn’s KB article link is a very good starting point and usualy solves the issues. If you still have problems I recommend following the troubleshooting steps in Troubleshooting Kerberos Errors.
answered Nov 28, 2009 at 17:34
Remus RusanuRemus Rusanu
286k40 gold badges432 silver badges566 bronze badges
I also issued this problem, and the server admins solved it by following the same solution as indu_teja proposed in http://www.sqlservercentral.com/Forums/Topic546566-146-1.aspx
The solution proposed by indu_teja says :
If you get this «SSPI Context Error». The issues we face are:
- We will not be able to connect to SQL Server remotely.
- However we will be able to connect to server with local account.
CAUSE: The issue might be becasue of no proper sync happenign fro the
SPNs in Active directory.RESOLUTION:
- You need to reset SPN. Use the synytax «SET SPN». You can check the syntax in net once.
- Change your sql server service account from domain account to Local account, recycle sql, and then reset again with your domain account and recycle sql server.
answered Sep 19, 2013 at 19:05
I just had the same problem and all I did was delete the user log in credentials in sql server using another user id and adding them back.
answered Oct 14, 2013 at 11:19
Here is my case. I had a remote machine that hosted SQL Server. From my local machine, I was trying to access the SQL instance via some C# code and I was getting this error. My password for the user account on my machine/domain had expired. I fixed it with the following:
- Opened the remote machine, which prompted me for a password change
- I changed my password within this prompt and logged into the remote machine
- I «locked» my local machine (using
windows+Lkey so I didn’t have to completely sign off) so that I could get back to the sign-on page - I signed back onto my local machine with the new password
Everything then worked fine.
answered Aug 10, 2016 at 19:53
AlbatrossCafeAlbatrossCafe
1,6826 gold badges26 silver badges49 bronze badges
In my case it was a missing SPN, had to run these two commands:
setspn -a MSSQLSvc:SERVERNAME SERVERNAME
setspn -a MSSQLSvc:SERVERNAME:1433 SERVERNAME
In other words in my case I had the FQDN in there already correctly but not just the NETBIOS name, after adding these it worked fine. Well initially it didn’t but after waiting 2 minutes it did.
answered Aug 31, 2016 at 13:21
ebooyensebooyens
6083 gold badges9 silver badges21 bronze badges
I had this error- it happened because my password expired and I had to change it. I didn’t notice it, because in some programs I could still log in and everything would work normally (including windows), but I couldn’t log to any sql servers.
answered May 8, 2017 at 7:39
XyzkXyzk
1,3222 gold badges21 silver badges36 bronze badges
Perhaps you have used Integrated Security = SSPI in connection string. SSPI is used for Trusted connections using Windows Authentication.hence, to work properly in windows authentication, either your system and database server should be in same domain and using same DNS server address, or should be in trusted domain.
if your system and database server is in same domain, Check DNS server address of IPV4 properties in your system’s network connection and provide same DNS server being used by database server.
answered Jun 29, 2018 at 13:13
In vb.net, if you are using a linked server than check your connection string. Integrated Security=true; doesn’t work in all SQL providers, it throws an exception when used with the OleDb provider. So basically Integrated Security=SSPI; is preferred since works with both SQLClient & OleDB provide. If you still hit with error, remove the syntax completely.
answered Apr 4, 2019 at 14:49
I can able to get this resolved by resetting the domain (server machine, which is the domain server, but not related to SQL Server except domain managing) followed by the client machines.
Thank you all for your immediate support!
answered Nov 29, 2009 at 9:26
PrasannaPrasanna
7602 gold badges6 silver badges16 bronze badges
Had a really weird instance of this; All the web products that had connection strings containing the windows computer name of the SQL server worked fine, but the products that had a FQDN with the internal domain attached gave an SSPI error.
i.e.
COMPUTERNAME
vs
COMPUTERNAME.DOMAIN
(ping always worked as expected)
This ONLY gave problems when a new SQL server was being used and hosts files pointed both the computer name and the computername as a FQDN for the connection strings.
Solution in this case was to set all the connection strings to the computer name only, removing the domain references.
SQL : 2008R2 SQL2012
IIS : 2008R2
answered Jan 21, 2014 at 11:12
robrob
8,0268 gold badges58 silver badges68 bronze badges
We had this issue on instances in which we changed the service user from Domain1ServiceUser to Domain2ServiceUser. The SPNs remained registered under Domain1ServiceUser, and never registered under Domain2ServiceUser. We registered the SPNs under Domain2ServiceUser, but the issue persisted. We then removed the SPNs under Domain1ServiceUser, and the issue was resolved.
answered Jul 3, 2019 at 14:31
1
In case you are running a code not written in your computer, that runs in a computer used by your work peer, but not in yours, check the web.config.
Maybe there is your colleague’s name as userPrincipalName at some place that should be in blank. That happens automatically when we create a service reference to the project in VS.
answered Jul 10, 2019 at 12:11
I am able to solve it by running the following commands.
Run CMD in admin mode
klist.exe -li 0x3e7 => if you see no output or error then continue and from last command try these commands once again.
klist.exe -li 0x3e7 purge
gpupdate /force
gpresult /r /scope computer
klist purge
runas /user:[your domain here][your user name here] cmd.exe
klist.exe sessions | findstr /i [your hostname here in the new opened cmd window]
Try again these commands depending upon the condition specified, and then restart your PC.
answered Feb 9, 2022 at 13:26
AZ_AZ_
21.6k25 gold badges142 silver badges191 bronze badges
by Tashreef Shareef
Tashreef Shareef is a software developer turned tech writer. He discovered his interest in technology after reading a tech magazine accidentally. Now he writes about everything tech from… read more
Updated on October 12, 2020
- The error cannot generate SSPI context can prevent the admin and users from accessing their SQL server.
- In this article, we explore the three ways to fix this error to get you back online.
- If the issue persists, check out our dedicated SQL Server page for more fixes.
- You can also explore our Troubleshooting Hub for more helpful solutions.
XINSTALL BY CLICKING THE DOWNLOAD FILE
This software will keep your drivers up and running, thus keeping you safe from common computer errors and hardware failure. Check all your drivers now in 3 easy steps:
- Download DriverFix (verified download file).
- Click Start Scan to find all problematic drivers.
- Click Update Drivers to get new versions and avoid system malfunctionings.
- DriverFix has been downloaded by 0 readers this month.
The target principal name is incorrect – cannot generate SSPI context error occurs when trying to make a connection on SQL Server from a remote server with a Windows account.
This is a generic error. It can be triggered due to many reason including an outdated password, clock drift, failure to register an SPN, or Active Directory access permission.
In this article, we take a look at a few troubleshooting steps to help you resolve the cannot generate SSPI context error on the Windows server.
How can I fix the target principal name is incorrect – cannot generate SSPI context error?
1. Change SQL Service User
Try changing the SQL SERVICE user with the one that is Domain Admin. When you shut down the service, you need an account with privileges to create a new SPN (Service Principal Name).
When a service starts without it, it will trigger the error. Changing the privileges of your system account can fix the error.
However, it is always recommended for service accounts to give them the least privileges due to security reasons.
Remove the SPN entries from AD Users and Computers
- Open the Active Directory User and Computers in Advanced View.
- Look for the SSPN entries for MSSQL Svc.
- Remove all the entries associated with MSSQL Svc.
- Close AD User and Computers and check for any improvements.
- Change Active Directory permission.
2. Check your password
The error cannot generate SSPI context can occur due to password issues. If you had recently changed your password, but haven’t logged out of your account, it can trigger the error.
Try logging out and then signing in with the new password to fix the error.
In other instances, the issue could be due to password expiration. Change the expired password and login with the new credentials to see if that resolves the error.
3. Change Active Directory permission
- Run Adsiedit.msc and from the Run dialog box.
- In the Active Directory Service window, expandDomain [YourDomainName], then expand DC = RootDomainName, and then CN = Users.
- Right-click on CN= [YourAccountName] and select Properties.
- Open the Security tab.
- Click on Advanced option.
- Select any one of the SELF rows.
- Click Edit and then the Open Permission Entry window.
- Here, make sure the Principal is set to SELF, Type is set to Allow, and Applied to is set to This Object Only.
- In the Properties section, select the following.
Read servicePrincipalName
Write servicePrincipalName - Click OK to apply the changes and exit.
Try establishing a new connection and check if they cannot generate SSPI context error is resolved. Make sure you restart the SQL Services that are associated with the current account to apply the changes.
Changing the Active Directory permission is a safe option than changing the SQL server user. However, before you proceed to change the permission, make sure the problem is triggered due to permission issues.
Log in to the server where your SQL instance is running and then check the error logs to check if the error is triggered due to permission problems.
The error in the log will look something like this:
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/servername.domainname.net:1433 ] for the SQL Server service.
Windows return code: 0x2098, state: 15. Failure to register an SPN might cause integrated authentication to use NTLM instead of Kerberos.
This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
The error cannot generate SSPI context can occur due to permission as well as expired credentials issues. Changing the password and permission should help you fix the error and log back into your SQL server.
Still having issues? Fix them with this tool:
SPONSORED
If the advices above haven’t solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.
Newsletter
Use setspn -X to look for duplicate SPNs for the SQL Server in question.
Remove any duplicate SPNs that don’t line up the SQL Server Service account in question.
Service Principal Names for SQL Server take the form of:
MSSQLSvc/server.domain:port MSSQLSvc/server:port
Assuming your SQL Server is using the default TCP port, 1433, I would expect you need the following servers:
MSSQLSvc/MASSQL.abc.com:1433 MSSQLSvc/MASSQL:1433
You can create those SPNs using the following command:
SETSPN -A MSSQLSvc/MASSQL.abc.com:1433 DOMAINAccount SETSPN -A MSSQLSvc/MASSQL:1433 DOMAINAccount
Where DOMAINAccount is the name of the service account used by SQL Server.
If your SQL Server uses a named instance, the SETSPN commands look like:
SETSPN -A MSSQLSvc/MASSQL.abc.com:1433 DOMAINAccount SETSPN -A MSSQLSvc/MASSQL:1433 DOMAINAccount SETSPN -A MSSQLSvc/MASSQL.abc.com:INSTANCENAME DOMAINAccount SETSPN -A MSSQLSvc/MASSQL:INSTANCENAME DOMAINAccount
SSPI — это краткая форма для Интерфейс поставщика поддержки безопасности. Это набор MS Windows API. Он обеспечивает аутентификацию сокетов TCP / IP, которые являются уровнями передачи данных в сети. Проще говоря, при передаче данных с одного компьютера на другой по TCP / IP SSPI выдает маркер безопасности. Это обеспечит безопасную передачу данных между отправляющим и принимающим устройствами. Иногда SSPI назначает маркер безопасности для принимающего устройства с помощью проверки подлинности Kerberos. Если Kerberos не может правильно назначить токен, мы увидим не может сгенерировать контекст SSPI ошибка.
Когда возникает эта ошибка, происходит сбой подключения к серверу SQL. Появится сообщение «Ошибка подключения. Не удается подключиться». В этом руководстве я объясню вам, как решить эту проблему. Есть несколько обходных путей, которые в идеале должны решить эту ошибку. Давай проверим их.
Содержание страницы
-
1 Устранение неполадок: ошибка «Не удается создать контекст SSPI» (SQL Server)
- 1.1 Остановите SQL Server
- 1.2 Перезапустите службу SQL Server и закройте ее.
- 1.3 Перезапустите учетную запись домена, чтобы исправить не удается создать ошибку контекста SSPI
- 1.4 Попробуйте подключить SQL Monitor
- 1.5 Используйте инструмент управления конфигурацией Microsoft Kerberos
Вот различные обходные пути, которые вы можете попытаться исправить из-за ошибки создания контекста SSPI.
Остановите SQL Server
- Открыть Диспетчер конфигурации SQL Server
- Выберите SQL-сервер, на котором размещена услуга
- Щелкните сервер правой кнопкой мыши> щелкните Стоп
Перезапустите службу SQL Server и закройте ее.
- Выберите Учетная запись локальной системы
- Нажмите ОК
- Перейдите к Общий таб. Нажмите Начинать
- Подождите, чтобы подтвердить статус услуги началось.
- Теперь щелкните сервер правой кнопкой мыши и выберите Стоп
Перезапустите учетную запись домена, чтобы исправить не удается создать ошибку контекста SSPI
- Нажмите на Этот аккаунт из вкладки «Вход в систему»
- введите данные учетной записи домена SQL Server
- Затем нажмите ОК
- Перейти к Общий вкладка> щелкните Начинать
Попробуйте подключить SQL Monitor
- Перейти к Страница отслеживаемых серверов
- Под Конфигурация щелкнуть Контролируемые серверы
- Перейдите к Действия меню
- Нажмите на Повторить подключение
Используйте инструмент управления конфигурацией Microsoft Kerberos
Существует второй способ устранения ошибки «Не удается создать контекст SSPI». В этом методе вам необходимо загрузить средство управления конфигурацией Microsoft Kerberos. Загрузите его в любую систему, работающую в домене. Вы можете получить инструмент бесплатно на веб-сайте Microsoft.
Итак, это все о невозможности создания ошибки контекста SSPI на серверах SQL и различных способах решения этой проблемы.
Другие руководства,
- Как исправить: Защитник Windows не обновляется
- Аккумулятор не заряжается после обновления Windows 10: как исправить
- Исправить неисправимую ошибку Windows 10 Whea
Рекламные объявления Здесь мы расскажем, как разблокировать загрузчик на UMiDIGI Power. Если вы ищете…
Реклама В наши дни смартфоны становятся одним из самых полезных предметов повседневной жизни, с которыми люди не могут жить или…
Рекламные объявления Были ли у вас проблемы с телефоном, которые то и дело зависают? Если да…