• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1936
  • Last Modified:

Error:: "cannot generate sspi context" via VPN

I am getting this error, "cannot generate sspi context" when I try to access MS SQL 2005 via Windows authentication over a Juniper VPN connection and if I am NOT connected to my own company's vpn. I am logged into my WinXP2 Notebook under a different domain (my company's domain, whereas the SQL server is on a Client's domain).  

More info: If I connect to my own company's VPN using Windows VPN connection, I do not get the error (so this is not a super urgent problem - just annoying and puzzling).  Also, I believe I only started getting this error when I started using my domain login on my Notebook as the administrator of that machine (i.e., I am not logging into my company's domain at all in that case.)

I am a database guru, but networking is still a mystery to me - I have found references to "kerebos" and have no idea what to make of that.

Thanks

0
AaronAbend
Asked:
AaronAbend
  • 3
  • 3
1 Solution
 
jdietrichCommented:
Here's a link on this issue:

http://support.microsoft.com/kb/811889

I think this should get you set straight:

Why Security Support Provider Interface chooses NTLM or Kerberos
Kerberos uses an identifier named "Service Principle Name" (SPN). Consider an SPN as a domain or forest unique identifier of some instance in a network server resource. You can have an SPN for a Web service, for an SQL service, or for an SMTP service. You can also have multiple Web service instances on the same physical computer that has a unique SPN.

An SPN for SQL Server is composed of the following elements: " ServiceClass: This identifies the general class of service. This is always MSSQLSvc for SQL Server.
" Host: This is the fully qualified domain name DNS of the computer that is running SQL Server.
" Port: This is the port number that the service is listening on.  
0
 
AaronAbendAuthor Commented:
I found this already - but I have already spent a lot of time reading about Kerebos and it seems clear I would need to learn a lot about networking to even understand what all this means.  "Consider an SPN as a domain or forest unique identifier" does not mean much to me since I do not know what a forest is.

I guess some questions to start with are: 1) is what I am trying to do even possible? 2) if so, is it a client configuration problem or something i have to change on the server (that would be harder since I am not admin on the customer's server)

0
 
jdietrichCommented:
You are correct, this started with your domain login.  The client (your laptop) when it is connected to your VPN is connected to your domain controller and can resolve the DNS of the SQL Server.  See below:

When the SQL Server driver on a client uses integrated security to connect to SQL Server, the driver code on the client tries to resolve the fully qualified DNS of the computer that is running SQL Server by using the WinSock networking APIs. To perform this operation, the driver code calls the gethostbyname and gethostbyaddr WinSock APIs. Even if an IP address or host name is passed as the name of the computer that is running SQL Server, the SQL Server driver tries to resolve the fully qualified DNS of the computer if the computer is using integrated security.

When the SQL Server driver on the client resolves the fully qualified DNS of the computer that is running SQL Server, the corresponding DNS is used to form the SPN for this computer.

So this is how the SPN gets created.  If it is an invalid SPN, Kerberos gets bagged by the SQL server (SSPI) and it does NTLM standard authentication.  However, it appears that your SQL Server driver created an SPN based on the information it got from your laptop from a prior connection to your VPN network.  So it is an invalid container when you are connected to the Juniper VPN.  That is why you get the message.  So, to answer your question, it is possible, if you wrote a script or got rid of the registry values for your work VPN connection prior to connecting to Juniper, or if you join the customers domain so when you are in Juniper you can fully resolve DNS.  Neither is probably an easy step, unfortunately I don't have good news for you, unless another expert knows a way around this.

JD
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
AaronAbendAuthor Commented:
JD, I think I understand about half of what you say. "Write a script to get rid of registry values for my work vpn" sounds somewhat promising. I am going to take a look and see if there are any "smoking gun" entries in there. I will post back tomorrow morning.

Thanks
0
 
jdietrichCommented:
Your going to have to find out where the WINS information is stored.  It can't be cache or a reboot would fix the issue.  Also look to see if there are settings in Juniper VPN.  Playing with them might get you home.

A few settings to try and tweak:  
Under Advanced TCP\IP settings (DNS tab - register the address in DNS)
WINS tab (enable LM lookup)
General (use default gateway)
 
0
 
AaronAbendAuthor Commented:
I agree with the split, but it's the same person, so I will just close it with points to the more complete info.  Thanks. Sorry for leaving it open.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now