iamuser
asked on
SQL Server Native Client 10.0 SQL Server Network Interfaces: The target principal name is incorrect
From a windows 2008 R2 machine, using SSMS to connect to my sql server (2008), the sa account works but using windows authentication fails. WIndows authentication keeps returning
The problem is that this happens only on this one server. I tried from 2 other windows servers, and they all connect fine using windows authentication. The other windows servers are also sql servers.
I am not sure why SSMS on this server is producing the problem but I need to resolve it. This server does have sql server installed with 2 instances, but I can't see how that would affect SSMS
[SQL Server Network Interfaces: The target principal name is incorrect & Cannot generate SSPI context message
The problem is that this happens only on this one server. I tried from 2 other windows servers, and they all connect fine using windows authentication. The other windows servers are also sql servers.
I am not sure why SSMS on this server is producing the problem but I need to resolve it. This server does have sql server installed with 2 instances, but I can't see how that would affect SSMS
ASKER
I ran "setspn.exe -L sqladmin\domain user account" and the results show that nothing is registred with that account. But i know that i have 3 sql servers using that account to run sql server services & agent services.
Is the lack of SPN under the domain user account the problem here?
Is the lack of SPN under the domain user account the problem here?
I believe the SPN should be registered to the sql server service account: http://technet.microsoft.com/en-us/library/bb735885.aspx
We had a very similar problem not long ago, and I resolved it after having referenced this: http://blogs.msdn.com/b/sql_protocols/archive/2005/10/12/479871.aspx
>>>
To verify that Kerberos authentication is being used, you may query the sys.dm_exec_connections DMV and look under the auth_scheme column, e.g.
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
If Kerberos is being used, then it will display “KERBEROS”.
I should also mention that if the instance automatically registered an SPN at startup, then it will unregister it when the instance is stopped.
>>>
We had a very similar problem not long ago, and I resolved it after having referenced this: http://blogs.msdn.com/b/sql_protocols/archive/2005/10/12/479871.aspx
>>>
To verify that Kerberos authentication is being used, you may query the sys.dm_exec_connections DMV and look under the auth_scheme column, e.g.
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
If Kerberos is being used, then it will display “KERBEROS”.
I should also mention that if the instance automatically registered an SPN at startup, then it will unregister it when the instance is stopped.
>>>
ASKER
Right now my sql services spn is pointed to different account and not the account that is being used as the service account for sql services. I would have to de-register that account and re-register the spn to the account that I'm using for the sql service. Am I understand this correctly?
I ran the select auth_scheme from sys.dm_exec_connections where session_id=@@spid
on my sql server and I get NTLM and not kerebos
I ran the select auth_scheme from sys.dm_exec_connections where session_id=@@spid
on my sql server and I get NTLM and not kerebos
That is precisely what I receiced a couple weeks back, same problem with the kerberos resolution. Once the spn was corrected, we were good. If I remember correctly,I did have to restart the agent.
ASKER
- So I will have to de-register the current spn on the target sql server.
- re-register the spn to the logon account I have for the sql services on the target server
- Do i have to do this on the client side as well (where ssms is ) or is this only for the target server
- re-register the spn to the logon account I have for the sql services on the target server
- Do i have to do this on the client side as well (where ssms is ) or is this only for the target server
Just the server.
ASKER
great let me try it
ASKER
it worked but it still shows up as NTLM and not kereobs
I am on my blackberry right now, so I can't really do much. I don't remember how long after our change that I checked that it wasn't NTLM anymore, but this effort did resolve our failure.
Does the SSPI error persist?
ASKER
the sspi error is gone but I thought it should have changed to kerebos
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great answers, really resolved my problem
Excellent! Glad to have helped.
http://support.microsoft.com/kb/811889