Error:: "cannot generate sspi context" via VPN

I am getting this error, "cannot generate sspi context" when I try to access MS SQL 2005 via Windows authentication over a Juniper VPN connection and if I am NOT connected to my own company's vpn. I am logged into my WinXP2 Notebook under a different domain (my company's domain, whereas the SQL server is on a Client's domain).  

More info: If I connect to my own company's VPN using Windows VPN connection, I do not get the error (so this is not a super urgent problem - just annoying and puzzling).  Also, I believe I only started getting this error when I started using my domain login on my Notebook as the administrator of that machine (i.e., I am not logging into my company's domain at all in that case.)

I am a database guru, but networking is still a mystery to me - I have found references to "kerebos" and have no idea what to make of that.


LVL 10
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here's a link on this issue:

I think this should get you set straight:

Why Security Support Provider Interface chooses NTLM or Kerberos
Kerberos uses an identifier named "Service Principle Name" (SPN). Consider an SPN as a domain or forest unique identifier of some instance in a network server resource. You can have an SPN for a Web service, for an SQL service, or for an SMTP service. You can also have multiple Web service instances on the same physical computer that has a unique SPN.

An SPN for SQL Server is composed of the following elements: " ServiceClass: This identifies the general class of service. This is always MSSQLSvc for SQL Server.
" Host: This is the fully qualified domain name DNS of the computer that is running SQL Server.
" Port: This is the port number that the service is listening on.  
AaronAbendAuthor Commented:
I found this already - but I have already spent a lot of time reading about Kerebos and it seems clear I would need to learn a lot about networking to even understand what all this means.  "Consider an SPN as a domain or forest unique identifier" does not mean much to me since I do not know what a forest is.

I guess some questions to start with are: 1) is what I am trying to do even possible? 2) if so, is it a client configuration problem or something i have to change on the server (that would be harder since I am not admin on the customer's server)

You are correct, this started with your domain login.  The client (your laptop) when it is connected to your VPN is connected to your domain controller and can resolve the DNS of the SQL Server.  See below:

When the SQL Server driver on a client uses integrated security to connect to SQL Server, the driver code on the client tries to resolve the fully qualified DNS of the computer that is running SQL Server by using the WinSock networking APIs. To perform this operation, the driver code calls the gethostbyname and gethostbyaddr WinSock APIs. Even if an IP address or host name is passed as the name of the computer that is running SQL Server, the SQL Server driver tries to resolve the fully qualified DNS of the computer if the computer is using integrated security.

When the SQL Server driver on the client resolves the fully qualified DNS of the computer that is running SQL Server, the corresponding DNS is used to form the SPN for this computer.

So this is how the SPN gets created.  If it is an invalid SPN, Kerberos gets bagged by the SQL server (SSPI) and it does NTLM standard authentication.  However, it appears that your SQL Server driver created an SPN based on the information it got from your laptop from a prior connection to your VPN network.  So it is an invalid container when you are connected to the Juniper VPN.  That is why you get the message.  So, to answer your question, it is possible, if you wrote a script or got rid of the registry values for your work VPN connection prior to connecting to Juniper, or if you join the customers domain so when you are in Juniper you can fully resolve DNS.  Neither is probably an easy step, unfortunately I don't have good news for you, unless another expert knows a way around this.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

AaronAbendAuthor Commented:
JD, I think I understand about half of what you say. "Write a script to get rid of registry values for my work vpn" sounds somewhat promising. I am going to take a look and see if there are any "smoking gun" entries in there. I will post back tomorrow morning.

Your going to have to find out where the WINS information is stored.  It can't be cache or a reboot would fix the issue.  Also look to see if there are settings in Juniper VPN.  Playing with them might get you home.

A few settings to try and tweak:  
Under Advanced TCP\IP settings (DNS tab - register the address in DNS)
WINS tab (enable LM lookup)
General (use default gateway)
AaronAbendAuthor Commented:
I agree with the split, but it's the same person, so I will just close it with points to the more complete info.  Thanks. Sorry for leaving it open.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.