Solved

SQL SSPI Error (register SPN)

Posted on 2014-07-24
4
2,037 Views
Last Modified: 2014-07-24
Hi

We are seeing the following error on one of our SQL 2008 always on boxes (2008 R2):

DESCRIPTION:      SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed   [CLIENT: 10.165.2.103]

I couldn't find anything useful online and the client IP listed (10.165.2.103) is not a valid IP address on our network.

The SQL resource says all we need to do is manually register the SPN, but I have my doubts about the validity of this statement.  This is an error that Argent detected, but I can't get them to actually identify what the actual problem is (the spn is the symptom).  I don't want to re-register an SPN and restarting the MSSQLSERVER service if there isn't an actual problem.

Any help is appreciated.  Thanks.

Tony
0
Comment
Question by:tonyjoewalker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Accepted Solution

by:
lcohan earned 500 total points
ID: 40218039
That means someone tried a Integrated (Windows login) Authentication connection from that IP and it (luckily) failed with password error. Please check event viewer to see if there's anything else about this failed login in there and note that this message will appear when for instance a Windows domain password expires and it usually stops once the client resets the password.
0
 

Author Comment

by:tonyjoewalker
ID: 40218053
Thank you!

I found the client PC in question.  The service account that is running the MSSQLSERVER service is configured on twelve SQL servers and none are actually having any issues.

Our SQL resource insists the service account needs to be domain admin and we have to manually register these SPN's.  I don't get where any of these ideas even come from.  :(

I really appreciate the answer!!
0
 

Author Closing Comment

by:tonyjoewalker
ID: 40218055
Excellent!  Thank you!
0
 
LVL 40

Expert Comment

by:lcohan
ID: 40218077
That is totally wrong in my opinion - at the most a "minimally-privileged domain user account" but not domain admin - and here are some links to support that - maybe if you pass them they will take some action...

http://msdn.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
http://blogs.technet.com/b/canitpro/archive/2012/02/08/the-sql-guy-post-15-best-practices-for-using-sql-server-service-accounts.aspx
http://www.sqlservercentral.com/Forums/Topic959128-1526-1.aspx
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have written a PowerShell script to "walk" the security structure of each SQL instance to find:         Each Login (Windows or SQL)             * Its Server Roles             * Every database to which the login is mapped             * The associated "Database User" for this …
This is basically a blog post I wrote recently. I've found that SARGability is poorly understood, and since many people don't read blogs, I figured I'd post it here as an article. SARGable is an adjective in SQL that means that an item can be fou…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question