same domain has SQL database engine connected by windows authentication, but different domain SSPI error.
-
Monday, April 23, 2012 1:51 PM
if work from computers in same domain as server, I can get SQL database engine connected by windows authentication, but access from different domain computers, got SSPI error. setspn -L server list mssqlsvc for this server, sql login no issues, IP address no issues.
- Edited by George Zhou Monday, April 23, 2012 4:07 PM
- Edited by George Zhou Monday, April 23, 2012 4:08 PM
All Replies
-
Monday, April 23, 2012 1:56 PM
Hi,
Please check out:
http://support.microsoft.com/kb/811889
http://blogs.msdn.com/b/sql_protocols/archive/2005/10/19/482782.aspx
http://technet.microsoft.com/en-us/library/bb735885.aspx
Thanks,
Andrew Bainbridge
SQL Server DBA
Please click "Propose As Answer" if a post solves your problem, or "Vote As Helpful" if a post has been useful to you -
Monday, April 23, 2012 3:54 PM
thanks, I saw those posts before and fixes some by setspn etc. however this one didn't get fix no matter what tried according to the links.
Also the server can be connected no problem from a server within the same domain, but not from computers on other domain.
-
Monday, April 23, 2012 4:15 PM
another domain? any trusts set-up? Either the client (whether it be a server or workstation) and SQL Server must be in the same domain, or there must be a trust between domains.
http://blogs.msdn.com/b/sql_protocols/archive/2005/10/12/479871.aspx
Thanks,
Andrew Bainbridge
SQL Server DBA
Please click "Propose As Answer" if a post solves your problem, or "Vote As Helpful" if a post has been useful to you -
Monday, April 23, 2012 4:27 PM
yes, it was always working until last Friday noticed.
but all other sql servers in the same domain as this one are accessible from different domains.
-
Wednesday, April 25, 2012 8:57 AM
have you looked at any firewalls?
Thanks,
Andrew Bainbridge
SQL Server DBA
Please click "Propose As Answer" if a post solves your problem, or "Vote As Helpful" if a post has been useful to you -
Thursday, April 26, 2012 12:54 PMyes, disabled firewall, same thing, actually should be firewall, using IP address works, also using hosts record works. I believe is the Kerberos authentication issue, not sure how to fix it
-
Thursday, April 26, 2012 2:12 PMyou can ping the sql server by name from the other domains, and that name resolves to the ip address you say works?
Thanks,
Andrew Bainbridge
SQL Server DBA
Please click "Propose As Answer" if a post solves your problem, or "Vote As Helpful" if a post has been useful to you -
Monday, April 30, 2012 7:02 PMYes, Andrew, ping by name works anywhere, so DNS has no issues. must be the kerberos and NTLM authentication issues.
-
Wednesday, May 02, 2012 9:56 AMModerator
Hi George,
Please also refer to the workaround in this blog: http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx
[6] Can not generate SSPI Context.
This is typical Kerberos authentication failure, there are various situations that can trigger this error. see blog: http://blogs.msdn.com/sql_protocols/archive/2005/10/15/481297.aspx
http://blogs.msdn.com/sql_protocols/archive/2005/10/19/482782.aspx
The major reason is due to the Credential Cache( is used by Kerberos to store authentication information, namely the TGT and session ticked is cached so that can be used during their lifetime.)
The most general workaround is: clean up credential cache by using "klist.exe -purge" or kerbtray.exe or just reboot machine.
See more detail about various cause and solution in http://support.microsoft.com/kb/811889.Best Regards,
Iric
Please remember to mark the replies as answers if they help and unmark them if they provide no help.- Marked As Answer by Iric WenModerator Thursday, May 03, 2012 9:11 AM
.png)
