Why am I getting a SSPI error in SSMS when accessing a server on a different domain using the servername but it works OK using IP Address

Saransvan 106 Reputation points
2022-09-09T11:43:28.543+00:00

When using SSMS on domain A with a domain A account, I connect to a server in (trusted) domain B using the IP address all good.
When using SSMS on domain A with a domain A account, I connect to a server in (trusted) domain B using the servername or fully qualified servername I get a SSPI error.

Things I have checked:
The SPN is all good.
I can ping the servername from the client and it fully resolves fine.
I can also run a PS test connection OK on 389.
Local Hosts file entry makes no difference.
No blockages on firewall ports that we can see.
I can connect using SQL auth to the servername, it's just a Windows domain account issue.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,809 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. YufeiShao-msft 7,116 Reputation points
    2022-09-12T08:00:11.407+00:00

    Hi @Saransvan ,

    Please check that there is not a SQL Alias present in the machine's SQL client configuration, usually, SSPI is a general error, there are various reasons for the error, this is may a DNS issue, try to flush DNS cache

    -------------

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Saransvan 106 Reputation points
    2022-09-12T08:35:43.62+00:00

    It's not a regular DNS issue as I can resolve via ping nslookup etc as I stated, tested that fully. No alias.

    I think it's a trust issue - anyone any ideas?

    0 comments No comments

  3. Erland Sommarskog 111.3K Reputation points MVP
    2022-09-12T10:48:13.953+00:00

    I don't think this is the right answer, but try checking Trust Server Certificate, see below. (I would expect a different error message, it this was the issue.)

    240083-image.png

    PS A DNS issue as suggested by Yufei sounds like a less likely reason to me. That would suggest that the name you use actually points to a different server, and you have an SSPI issue on that server. Certainly a bit far-fetched.

    0 comments No comments

  4. Saransvan 106 Reputation points
    2022-10-06T16:01:24.437+00:00

    Hi, thanks those who tried to help. Got to the bottom of it in the end.
    The domain (B) with the issue also has a parent, and although we weren't interested in anything in the parent, it seems that SQL needs to check it anyway.
    So we added an additional DNS conditional forwarder and that resolved the problem, we can now connect by name.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.