Dear SeeyaXi-msft ,
same issue is back again after installing KB5021653: Out-of-band update for Windows Server 2012 R2: November 17, 2022
Regards ,
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Dears ,
we have problem that started after we installed windows updates on our DCs in the environment , now when we are trying to connect remotely to sql database server we got the below errors
kindly note that authentication works fine when we connect to the database from sql server itself with same user
regards,
Dear SeeyaXi-msft ,
same issue is back again after installing KB5021653: Out-of-band update for Windows Server 2012 R2: November 17, 2022
Regards ,
Hi all, I've been monitoring this article closely as we have experienced the exact same issue.
We managed to workaround it by deleting the SPN record(s) between Application and SQL server, which essentially causes Kerberos authentication to fail, and forces NTLM authentication, e.g.:
setspn -D MSSQLSvc/sqlservername.fqdn DOMAINNAME\SqlServiceAccount
setspn -D MSSQLSvc/sqlservername.fqdn:1433 DOMAINNAME\SqlServiceAccount
Once that had been done, we restarted the SQL server services, restarted the Application services and restarted IIS.
Risk v reward, being this seems to work, but is obviously then using a less secure authentication protocol.
Do post a response if this helps you.
Regards,
Steve
Further info:
When the SQL Server driver forms an invalid SPN, authentication still works because the SSPI interface tries to look up the SPN in the Active Directory service. If the SSPI interface doesn't find the SPN, Kerberos authentication isn't performed. At that point, the SSPI layer switches to NTLM authentication mode, and the logon uses NTLM authentication and typically succeeds - (see https://learn.microsoft.com/en-us/troubleshoot/sql/connect/cannot-generate-sspi-context-error).
We're seeing the same issue here are after KB5020023 was installed and one of our DC's was rebooted.
We're running SQL Server 2003 and seeing the following logs:
The login is from an untrusted domain and cannot be used with Windows authentication.
Error: 18452, Severity: 14, State: 1
SSPI handshake failed with error code 0x80090304 while establishing a connection with integrated security
Error: 17806, Severity: 20, State: 2
We uninstalled KB5020023 and restarted the server, fault persisted, then installed the rollup (kb5021653-out-of-band-update-for-windows-server-2012-r2-november-17-2022-8e6ec2e9-6373-46d7-95bc-852f992fd1ff) but has made no difference.
We are experiencing this issue too. Does anyone know if the December updates fix this issue?
Has anyone tested to see if the January 2023 updates fix this issue? Thanks.