Everyday Problem Solvers
Tag Archives: Authentication
November 22, 2012Posted by on
Detecting a Bad SPN
Okay, we all know the error that this causes. Even saying SSPI context is bad juju, and I feel dirty when I talk about it, but it has to be said:
Cannot generate SSPI Context
This is a generic error that can be caused by 1000 different things, but experience has shown me that 98% of the time, it is caused by 1 of 2 problems. Either the server is not able to connect to a domain controller to establish the SSPI context or there is an invalid SPN for the SQL Server service in AD. To verify if the domain controller connection may be a problem, I check the System event log. There may be errors stating that SQL Server was not able to connect to a domain controller or kerberos errors. The error logged may have occurred several days before you see the SSPI context errors. 99% of the time, this error is resolved by rebooting the server.
I want to talk about the second cause. An invalid SPN will cause this error. No SPN at all will NOT cause this error. That bears repeating: No SPN at all will NOT cause this error. Adding an SPN to AD will NOT fix this error. Setting up kerberos or constrained delegation when there is an invalid SPN will NOT fix this error. Starting to see a pattern? Read more of this post