2017-06-08

The target principal name is incorrect. Cannot generate SSPI context.

You might encounter this error when trying to connect remotely to MS SQL via management studio. Basically it means that Kerberos is not working, you can verify this by running this query while connected to MS SQL locally:

select auth_scheme from sys.dm_exec_connections where session_id=@@spid

 You should see NTLM in the result if Kerberos is not working.

The error says that SPN is incorrect, however you verify that SPN is actually ok:
SETSPN -L

Additionally on domain controller you might see similar event logged:


While processing an AS request for target service krbtgt, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 3. The accounts available etypes : 23 -133 -128. Changing or resetting the password of will generate a proper key.

In my case I solved this by changing the SQLServer service account to a newly created one, since I was not able to reset the password for it, due to the fact it might have been used elsewhere. Generally resetting password for that account as suggested in the event log should fix this also. 

Links:
https://blogs.msdn.microsoft.com/meer_alam/2015/05/10/the-target-principal-name-is-incorrect-cannot-generate-sspi-context/ 

No comments:

Post a Comment