2017-06-08

The target principal name is incorrect. Cannot generate SSPI context.

You might encounter this error when trying to connect remotely to MS SQL via management studio. Basically it means that Kerberos is not working, you can verify this by running this query while connected to MS SQL locally:

select auth_scheme from sys.dm_exec_connections where session_id=@@spid

 You should see NTLM in the result if Kerberos is not working.

The error says that SPN is incorrect, however you verify that SPN is actually ok:
SETSPN -L

Additionally on domain controller you might see similar event logged:


While processing an AS request for target service krbtgt, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 3. The accounts available etypes : 23 -133 -128. Changing or resetting the password of will generate a proper key.

In my case I solved this by changing the SQLServer service account to a newly created one, since I was not able to reset the password for it, due to the fact it might have been used elsewhere. Generally resetting password for that account as suggested in the event log should fix this also. 

Links:
https://blogs.msdn.microsoft.com/meer_alam/2015/05/10/the-target-principal-name-is-incorrect-cannot-generate-sspi-context/ 

2017-03-29

Enabling AntiSpam agents on Exchange 2016 Mailbox server, including Connection Filtering Agent

If you have no Edge server and want to use Exchange anti spam features, you probably already know how to install antispam agents on mailbox server:

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

However this does not enable connection filtering agent, which is by far the most useful of all the agents since it allows to use online blacklists. To enable this service in exchange shell run (one line):

Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

You will also need to configure it with your favorite RBLs, for example:

Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true
Add-IPBlockListProvider -name bl.spamcop.net -LookupDomain bl.spamcop.net -AnyMatch $true -Enabled $true
Add-IPBlockListProvider -name b.barracudacentral.org -LookupDomain b.barracudacentral.com -AnyMatch $true -Enabled $true
Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
Restart-Service MSExchangeTransport

Links: