Post reply

Error: Cannot generate SSPI context"

  • March 23, 2004 at 10:50 am

    #84541

    I'm way overloaded right now to post this in the "appropriate" place, but I'd like to get this out there in case someone else runs into this issue.

    After searching through enormous posts as to the causes of the error:

    "Cannot generate SSPI context"

    from a client connecting to SQL Server, I finally "discovered" one such solution, which I'd like to share with everyone.  First, the setup environment:

    1.  SERVER:  Win2k SP3

    2.  Client: MDAC 2.7, 2 NICS (2 different subnets), win2k AD member w/ own DNS (separate server) and domain (separate server)

    Issue:  When creating an ODBC DSN using Trusted Authentication and TCP/IP protocol, I kept receiving the error:  "Cannot generate SSPI context".  I also noticed that the following:

    1.  Std Authentication via named pipes and TCP/IP worked fine.

    2.  NT Authentication via named pipes gave error:  "Server does not exist or access denied".

    Resolution:  Tried nearly everything.  What I finally discovered was that there were bogus entries in the client configuration (w/o SQL Client, you access this by running:  "cliconfg.exe").  Turns out that there were multiple entries in there for different subnets and (I suppose) that the alias resolution was confusing the client protocol for SSPI.  To fix the problem, I erased all appropriate aliases and re-setup the DSN with TCP/IP and Trusted Authentication.

    It worked.  Go figure.

     

    My best guess right now.

  • March 26, 2004 at 8:00 am

    This was removed by the editor as SPAM

  • March 26, 2004 at 9:44 am

    #500688

    Interesting. I've run into the issue with single NIC/single IP, but NT auth works with named pipes. However since it's disabled with most servers (sockets only), it was blind luck we figured that out.

    It started when we changed the service ccount. I read Chad Miller's article and suspected rights on the service account (domain user, normal) in creating the SPN, but resetting to an admin account didn't fix it, for some reason, only going back to the old service account, which was shared with other services on other boxes, worked.

    Then a few months later it cleared up. No indication why.

    Follow me on Twitter: http://www.twitter.com/way0utwest
    Forum Etiquette: How to post data/code on a forum to get the best help
    My Blog: www.voiceofthedba.com

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply