sspi handshake failed with error code 0x80090304 on SQL server after updating DC

Ibrahim AlHusari 151 Reputation points
2022-11-16T09:09:44.61+00:00

Dears ,

we have problem that started after we installed windows updates on our DCs in the environment , now when we are trying to connect remotely to sql database server we got the below errors

260866-1.jpg

260857-2.jpg

kindly note that authentication works fine when we connect to the database from sql server itself with same user

regards,

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,757 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions

13 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ibrahim AlHusari 151 Reputation points
    2022-11-24T12:28:04.913+00:00

    Dear SeeyaXi-msft ,

    same issue is back again after installing KB5021653: Out-of-band update for Windows Server 2012 R2: November 17, 2022

    Regards ,

  2. Steve Taylor 1 Reputation point
    2022-11-29T15:26:26.197+00:00

    Hi all, I've been monitoring this article closely as we have experienced the exact same issue.

    We managed to workaround it by deleting the SPN record(s) between Application and SQL server, which essentially causes Kerberos authentication to fail, and forces NTLM authentication, e.g.:

    setspn -D MSSQLSvc/sqlservername.fqdn DOMAINNAME\SqlServiceAccount
    setspn -D MSSQLSvc/sqlservername.fqdn:1433 DOMAINNAME\SqlServiceAccount

    Once that had been done, we restarted the SQL server services, restarted the Application services and restarted IIS.

    Risk v reward, being this seems to work, but is obviously then using a less secure authentication protocol.

    Do post a response if this helps you.

    Regards,

    Steve

    Further info:

    When the SQL Server driver forms an invalid SPN, authentication still works because the SSPI interface tries to look up the SPN in the Active Directory service. If the SSPI interface doesn't find the SPN, Kerberos authentication isn't performed. At that point, the SSPI layer switches to NTLM authentication mode, and the logon uses NTLM authentication and typically succeeds - (see https://learn.microsoft.com/en-us/troubleshoot/sql/connect/cannot-generate-sspi-context-error).

  3. Matt 1 Reputation point
    2022-12-13T08:15:55.147+00:00

    We're seeing the same issue here are after KB5020023 was installed and one of our DC's was rebooted.

    We're running SQL Server 2003 and seeing the following logs:

    The login is from an untrusted domain and cannot be used with Windows authentication.

    Error: 18452, Severity: 14, State: 1
    SSPI handshake failed with error code 0x80090304 while establishing a connection with integrated security
    Error: 17806, Severity: 20, State: 2

    We uninstalled KB5020023 and restarted the server, fault persisted, then installed the rollup (kb5021653-out-of-band-update-for-windows-server-2012-r2-november-17-2022-8e6ec2e9-6373-46d7-95bc-852f992fd1ff) but has made no difference.

  4. Supply-PWC 1 Reputation point
    2022-12-14T17:31:20.403+00:00

    We are experiencing this issue too. Does anyone know if the December updates fix this issue?

  5. Supply-PWC 1 Reputation point
    2023-01-11T14:54:07.3566667+00:00

    Has anyone tested to see if the January 2023 updates fix this issue? Thanks.