Sspi context vista

Go to the error logs and look for the last time that the SQL service was restarted. You should find an error message similar to this:. Windows return code: 0x, state: This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered. This is great. At least now we have verified that the problem is related to the SPN and we are ready to apply the fix. You should now see an entry similar to this:.

There may be a temporary workaround that will probably allow you to get to the database. Workaround : On each client computer trying to connect to the SQL Server, create an entry in each workstation's host file. The exact mechanism this uses to fix the issue is unconfirmed but it may be that using it overrides the need for the SPN. While this isn't guaranteed to be fix for all cases it will most likely get you back up and running. This should not be considered a permanent fix.

You should resolve the SPN or other issues in an ideal situation. However if you're having issues with old Windows machines running an unsupported operating system or if you're just doing proof of concept disaster recovery testing this should get you where you need to be to keep the lights on or production back up and running. I've made some researches to know why this happens.

It says that when you shutdown the service, you need an account with privileges do create a new SPN when it turns on again. I had a similar issue. I was then able to access SQL Server remotely. I experienced this issue just recently.

I could connect with the IP address. Once I removed this and then added it to the service account, and rebooted the SQL machine, everything worked as it should. Happy to provide more details if needed.

When you are running your service account using a local account you will not have this issue, but if you run your serice accounts as an active directory user, then it will need permissions to create its own SPN. If it does not have this permission, you should manually create the SPN. I think the easier approach is to install Kerebos Configuration Manager and run the diagnostic check. I ran into this error when my Account was Locked-Out and I wasn't aware of it yet.

I was still logged into Windows at the time, so I couldn't figure out why at first. Lock your station and try logging back in to see if your Windows Account is locked-out. It mostly happens when you are working on an office laptop and you are changing password at home. It worked for me this way. Connect to the VPN on you laptop and make sure everything else is closed.

Lock your screen and wait for mins so that your new password would be synchronized. Unlock with the new password and you sql server should connect without an issue.

Sign up to join this community. The best answers are voted up and rise to the top. Kerberos authentication is available only on Windows based computers that have Kerberos authentication enabled and that are using Active Directory. This notifies the underlying security provider to perform negotiate delegation. If you cannot obtain the cause of the problem by using the troubleshooting steps in this article, collect the following information and open a Microsoft Customer Support CSS case.

For a complete list of Microsoft Customer Support telephone numbers and information about support costs, go to the following Microsoft website:. Generate a sqldiag report from SQL Server. Open a command prompt on the node that cannot connect to SQL Server, and then type the following command:. In a clustered environment, find the value of following registry key for each node of the cluster:.

In a clustered environment, see whether the following registry key exists on each cluster server node:. Capture the results if you ping the computer name or the SQL Network Name on a cluster from the client.

References For more information about how Kerberos authentication and SSPI security works, click the following article numbers to view the articles in the Microsoft Knowledge Base:. You are using Integrated Security. Kerberos authentication is used to perform the security delegation. Port: This is the port number that the service is listening on. For example, the SSPI error may occur in one of the following situations: The domain account is locked out.

Notes DomainName is a placeholder for the name of the domain. On the Security tab, click Advanced. Important We recommend that you do not grant WriteServicePrincipalName right to the SQL service account when the following conditions are true: There are multiple domain controllers. SQL Server is clustered. Verify the server environment Check some basic settings on the computer where SQL Server is installed: Kerberos authentication is not supported on Windows based computers that are running Windows Clustering unless you have applied Service Pack 3 or a later version to Windows For more information, click the following article number to view the article in the Microsoft Knowledge Base: Kerberos authentication support on Windows based server clusters Verify that the server is running Windows Service Pack 1 SP1.

For more information about Kerberos authentication support on Windows based servers, click the following article number to view the article in the Microsoft Knowledge Base: "Cannot generate SSPI context" error message is displayed when you connect to SQL Server On a cluster, if the account that you use to start SQL Server, SQL Server Agent, or full-text search services changes, such as a new password, follow the steps that are provided in the following Microsoft Knowledge Base article: How to change service accounts for a clustered computer that is running SQL Server Verify that the account that you use to start SQL Server has the appropriate permissions.

For more information about how to determine whether you are using cached credentials, click the following article number to view the article in the Microsoft Knowledge Base: User is not alerted when logging on with domain cached credentials Verify that the dates on the client and the server are valid. Capture a screen shot of the error on the client. See whether you can connect by using Named Pipes protocol.

Need more help? Expand your skills. Get new features first. Was this information helpful? Yes No. Thank you! Any more feedback? The more you tell us the more we can help.

Can you help us improve? Resolved my issue. Clear instructions. Easy to follow. No jargon. Pictures helped. Didn't match my screen. Incorrect instructions.