Sunday, February 12, 2012

Cannot generate SPPI Context

Hi,
We recently replaced one of our SQL 2000 machines in our 2-server cluster (
both Win2K SP4 ).
Since the replacement we can no longer access the SQL-server via Windows Aut
hentication ( SQL turns mainly on this new server ).
This happens on ALL machines including the server ( We use Win Auth for the
Query Analyzer ).
The server only listens on TCP/IP, i would like to avoid using named pipes.
Does anybody have any idea how to troubleshoot this?
What protocol is used NTML or Kerberos and what do you recommend to use.
Already big thnx for the answers ...
Sven Peeters
Belgiumhello! Are the sql services running under a domain user account? If so you c
ould try resetting the SPN (server principal name) for the sql service. This
fixed this error for me (though there are quite a few ways to generate this
error).|||Hi Sven,
The error message "Cannot generate SSPI Security Context" is a failure
to authenticate using NT Auth over TCP.
The most common problems are:
1. DNS resolution. Either DNS is slow or failing to resolve the FQDN of
the server.
From the client run the following commands:
ipconfig /flushdns
ipconfig /registerdns
Then make a network trace of the client trying to make a Trusted Connection.
2. Problems enumerating or reaching the DC.
A good tool for identifying problems with DNS or DC enumeration is
Netdiag.exe
321708 HOW TO: Use the Network Diagnostics Tool (Netdiag.exe) in Windows
2000
http://support.microsoft.com/?id=321708
Run it with the /v "Verbose" flag and review the output.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||I tried and checked everything.
With netdiag all checks passed en my DNS is ok.
Got the results posted under this reply.
Only the server has been replaced, user,domain and cluster settings are stil
l the same.
And i can't even connect on the server itself.
I've read and tried every solution withouth result.
C:\Program Files\Resource Kit>setspn -l ClusterSQLAccount
Registered ServicePrincipalNames for CN=ClusterSQLAccount,CN=Users,DC=system
at,D
C=tcc:
MSSQLSvc/srv-is-sql-01.systemat.tcc:1433
MSSQLSvc/srv-is-sql-01:1433
C:\Program Files\Resource Kit>
C:\Program Files\Resource Kit>ping srv-is-sql-01
Pinging srv-is-sql-01.systemat.tcc [192.168.110.132] with 32 bytes of da
ta:
Reply from 192.168.110.132: bytes=32 time=16ms TTL=128
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Ping statistics for 192.168.110.132:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 4ms
C:\Program Files\Resource Kit>ping -a 192.168.110.132
Pinging srv-is-sql-01.systemat.tcc [192.168.110.132] with 32 bytes of da
ta:
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Reply from 192.168.110.132: bytes=32 time<10ms TTL=128
Ping statistics for 192.168.110.132:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Program Files\Resource Kit>|||It's running under a domain account and has administrative rights locally.
My SPN is also ok :
C:\Program Files\Resource Kit>setspn -l ClusterSQLAccount
Registered ServicePrincipalNames for CN=ClusterSQLAccount,CN=Users,DC=system
at,D
C=tcc:
MSSQLSvc/srv-is-sql-01.systemat.tcc:1433
MSSQLSvc/srv-is-sql-01:1433
C:\Program Files\Resource Kit>
Any other suggestions ?

No comments:

Post a Comment