tonyjoewalker
asked on
SQL SSPI Error (register SPN)
Hi
We are seeing the following error on one of our SQL 2008 always on boxes (2008 R2):
DESCRIPTION: SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: 10.165.2.103]
I couldn't find anything useful online and the client IP listed (10.165.2.103) is not a valid IP address on our network.
The SQL resource says all we need to do is manually register the SPN, but I have my doubts about the validity of this statement. This is an error that Argent detected, but I can't get them to actually identify what the actual problem is (the spn is the symptom). I don't want to re-register an SPN and restarting the MSSQLSERVER service if there isn't an actual problem.
Any help is appreciated. Thanks.
Tony
We are seeing the following error on one of our SQL 2008 always on boxes (2008 R2):
DESCRIPTION: SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: 10.165.2.103]
I couldn't find anything useful online and the client IP listed (10.165.2.103) is not a valid IP address on our network.
The SQL resource says all we need to do is manually register the SPN, but I have my doubts about the validity of this statement. This is an error that Argent detected, but I can't get them to actually identify what the actual problem is (the spn is the symptom). I don't want to re-register an SPN and restarting the MSSQLSERVER service if there isn't an actual problem.
Any help is appreciated. Thanks.
Tony
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent! Thank you!
That is totally wrong in my opinion - at the most a "minimally-privileged domain user account" but not domain admin - and here are some links to support that - maybe if you pass them they will take some action...
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
http://blogs.technet.com/b/canitpro/archive/2012/02/08/the-sql-guy-post-15-best-practices-for-using-sql-server-service-accounts.aspx
http://www.sqlservercentral.com/Forums/Topic959128-1526-1.aspx
http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
http://blogs.technet.com/b/canitpro/archive/2012/02/08/the-sql-guy-post-15-best-practices-for-using-sql-server-service-accounts.aspx
http://www.sqlservercentral.com/Forums/Topic959128-1526-1.aspx
ASKER
I found the client PC in question. The service account that is running the MSSQLSERVER service is configured on twelve SQL servers and none are actually having any issues.
Our SQL resource insists the service account needs to be domain admin and we have to manually register these SPN's. I don't get where any of these ideas even come from. :(
I really appreciate the answer!!