Planning To Avoid 'Cannot Generate SSPI Context' Issues After Changing SQL Server Service Account

Firstly, this is all at the planning stage at moment, so I'm looking for advice on how to avoid potential problems further down the line ...

We have an SQL Server 2005 box in a specific domain, and the existing SQL Server Service Account is also in the same domain. So say the box is in a domain called originaldomain and the existing SQL Server Service Account is originaldomain\originalserviceaccount.

Our network guys want us to change the SQL Server Service Account to a new account they will be setting up in a new domain - the SQL Server 2005 box itself will still be under originaldomain, but they want the new SQL Server Service Account to be an account in the new domain, say it will be called newdomain\newserviceaccount.

I've seen a few urls containing horror stories where SQL Server connections fail with "Cannot Generate SSPI Context" following a change to the SQL Server Service Account, and so am hoping to be able to avoid this issue when we get round to changing our SQL Server Service Account (we'll be making the change via SQL Server Configuration Manager).

So, given the specifics of our planned change (ie the SQL Server 2005 box being in one domain and the new SQL Server Service Account being in another domain) are there any special considerations to note when the new SQL Server Service Account  is set up ?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vitor MontalvãoMSSQL Senior EngineerCommented:
First of all there should be a trust between both domains.
Second, you need to add new SPN entries after changing the MSSQL service account. For that you'll need to use SETSPN command.
raymurphyAuthor Commented:
Thanks for the prompt reply, Vitor - I'll look into SETSPN for my own background reference, so thanks for that link. Also for background reference,  I was wondering whether the new Windows login being used for the Service Account needs to have any specific permissions/characteristics ? I've read that it should have Logon As Service permissions, but was wondering if there were any other specific permissions needed ....
Vitor MontalvãoMSSQL Senior EngineerCommented:
No, Logon As Service should be what you'll need. There's no need to give extra permissions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
raymurphyAuthor Commented:
Thats good news - thanks for your assistance, gives me a better of what will be involved when the Service Account is changed, as I've not had to go through that process before ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SQL Server 2005

From novice to tech pro — start learning today.