June 13, 2015 at 8:04 pm
Hi All,
I have installed a SQL Server cluster recently.
Noticed below errors logged in the error log. I understand that SPN is not getting registered, hence this error.
What permissions SQL Server service account should have to fix this issue ? Service account is admin in local nodes anyway. Please help to fix this issue.
[Quote]
"SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service.
This is an informational message. No user action is required.
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The
Windows error code indicates the cause of failure. The logon atte
2015-06-12 18:11:06.970 Logon Error: 18452, Severity: 14, State: 1.
2015-06-12 18:11:06.970 Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication "
[/Quote]
Thanks.
San
June 14, 2015 at 7:27 am
No responses at all !!! :w00t:
June 14, 2015 at 3:07 pm
Hi All,
I have installed a SQL Server cluster recently.
Noticed below errors logged in the error log. I understand that SPN is not getting registered, hence this error.
What permissions SQL Server service account should have to fix this issue ? Service account is admin in local nodes anyway. Please help to fix this issue.
"SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service.
This is an informational message. No user action is required.
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The
Windows error code indicates the cause of failure. The logon atte
2015-06-12 18:11:06.970 Logon Error: 18452, Severity: 14, State: 1.
2015-06-12 18:11:06.970 Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication "
Thanks.
San
I would say there are two things here. You said that the SPN is not registered, but there is no evidence of that. The log is saying that SQL is attempting to register the SPN. If it failed there would be another entry in the log stating that. You should be able to verify that by issuing a setspn -L <sqlServerServiceAccount> in a command prompt and see if any MSSQLSvc entries are listed. If they are then the SPN is registered. If not then you can troubleshoot the SPN.
2015-06-12 18:11:06.970 Logon Error: 18452, Severity: 14, State: 1.
2015-06-12 18:11:06.970 Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication "
To me this seems to indicate an issue because the domain you are attempting to connect from is not trusted with the domain that the SQL instance is in so your Windows account cannot be trusted. Can you connect remotely to the SQL instance on a machine in the same domain as the SQL instance?
Joie Andrew
"Since 1982"
June 14, 2015 at 8:05 pm
[Quote]
I would say there are two things here. You said that the SPN is not registered, but there is no evidence of that. The log is saying that SQL is attempting to register the SPN. If it failed there would be another entry in the log stating that. You should be able to verify that by issuing a setspn -L <sqlServerServiceAccount> in a command prompt and see if any MSSQLSvc entries are listed. If they are then the SPN is registered. If not then you can troubleshoot the SPN.
[/Quote]
Sorry.. We have that error message logged in errorlog
"The SQL Server Network Interface library could not register the Service Principal Name (SPN)".
Need to check this.
[Quote]
To me this seems to indicate an issue because the domain you are attempting to connect from is not trusted with the domain that the SQL instance is in so your Windows account cannot be trusted. Can you connect remotely to the SQL instance on a machine in the same domain as the SQL instance?
[/Quote]
Just checked from both active/passive nodes and it was working.
Need to investigate now.
update :- This seems to be a firewall issue I believe. Because telnet 1433 is not working, though I can ping it.
Will check for firewall settings.
Thanks.
San.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply