raymurphy
asked on
Planning To Avoid 'Cannot Generate SSPI Context' Issues After Changing SQL Server Service Account
Firstly, this is all at the planning stage at moment, so I'm looking for advice on how to avoid potential problems further down the line ...
We have an SQL Server 2005 box in a specific domain, and the existing SQL Server Service Account is also in the same domain. So say the box is in a domain called originaldomain and the existing SQL Server Service Account is originaldomain\originalser
Our network guys want us to change the SQL Server Service Account to a new account they will be setting up in a new domain - the SQL Server 2005 box itself will still be under originaldomain, but they want the new SQL Server Service Account to be an account in the new domain, say it will be called newdomain\newserviceaccoun
I've seen a few urls containing horror stories where SQL Server connections fail with "Cannot Generate SSPI Context" following a change to the SQL Server Service Account, and so am hoping to be able to avoid this issue when we get round to changing our SQL Server Service Account (we'll be making the change via SQL Server Configuration Manager).
So, given the specifics of our planned change (ie the SQL Server 2005 box being in one domain and the new SQL Server Service Account being in another domain) are there any special considerations to note when the new SQL Server Service Account is set up ?
Thanks
Ray
We have an SQL Server 2005 box in a specific domain, and the existing SQL Server Service Account is also in the same domain. So say the box is in a domain called originaldomain and the existing SQL Server Service Account is originaldomain\originalser
Our network guys want us to change the SQL Server Service Account to a new account they will be setting up in a new domain - the SQL Server 2005 box itself will still be under originaldomain, but they want the new SQL Server Service Account to be an account in the new domain, say it will be called newdomain\newserviceaccoun
I've seen a few urls containing horror stories where SQL Server connections fail with "Cannot Generate SSPI Context" following a change to the SQL Server Service Account, and so am hoping to be able to avoid this issue when we get round to changing our SQL Server Service Account (we'll be making the change via SQL Server Configuration Manager).
So, given the specifics of our planned change (ie the SQL Server 2005 box being in one domain and the new SQL Server Service Account being in another domain) are there any special considerations to note when the new SQL Server Service Account is set up ?
Thanks
Ray
ASKER
Thanks for the prompt reply, Vitor - I'll look into SETSPN for my own background reference, so thanks for that link. Also for background reference, I was wondering whether the new Windows login being used for the Service Account needs to have any specific permissions/characteristic
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thats good news - thanks for your assistance, gives me a better of what will be involved when the Service Account is changed, as I've not had to go through that process before ...
Second, you need to add new SPN entries after changing the MSSQL service account. For that you'll need to use SETSPN command.