Subscribe

SQLServer-DBA.com Links

Subscribe to newsletter

Dba_db2_button

Powered by TypePad
Event ID 40960 Cannot generate SSPI context

10 March,2011 by Jack Vamvas

Kerberos manages  the authentication method on most Windows hosted database server systems I work on . It is a method of authenticating  client and server entities.

If Windows Authentication is used, SQL Server exploits Kerberos via the Security Support provider Interface(SSPI) The SSPI accesses a set of  Windows APIs – that manage the delegation\authentication of the data transport layer , e.g TCP\IP. From a SQL Server perspective  , the SSPI  permits the  Windows Operating System to delegate the user security token  from one server to another .

 To view if a current connection uses Kerberos issue the SQL statement:

 

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid

 

 The Cannot generate SSPI context  error message is triggered by SSPI using Kerberos to delegate over TCP\IP and Kerberos cannot complete the operations to successfully delegate the security token  to the destination server. There a number of reasons this can occur

 If integrated security is used , the driver will attempt resolve the fully qualified DNS of the target SQL  Server . That DNS will  be used to form the Service Principal Name (SPN). If issues were discovered while attempting to resolve the ip or hostname by the API will result in an invalid SPN. The key aspect of the SPN is it must  be registered with the Active Directory. Post registration the SPN is mapped to the start up account of the SQL Server service.If the registration has failed  or some other problem occurs, Windows security cannot determine the account associated with the SPN – this will mean Kerberos will not be used.

 I’ve recently been getting a few on a particular server – initially I was rebooting the server – which cleared the problem.

It turns out there was a a DNS issue regarding reverse lookups – all cleared.

Read More

SQL Server - SSPI handshake failed with error code 0x80090304 while establishing a connection with integrated security

SQL Server - Kerberos and KRB_AP_ERR_MODIFIED

SQL Server – Powershell Active Directory search




Author: Jack Vamvas (http://www.sqlserver-dba.com)

******** *******

Subscribe to SQLServer-DBA.com

Latest posts delivered to you daily

Delivered by FeedBurner

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer