28,661 questions
SQL Server support Windows Auth mainly in a AD (domain) enviroment. In a Workgroup (perr-to-peer) you can get it working, if the local Windows account exists on both machines with the same password.
sql server 2022 windows authentication not working on peer to peer network
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 93%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPH%3C/text%3E%3C/svg%3E)
Peter Halbert
0
Reputation points
I have two brand new latest version PCs with windows 11 installed and connected as a peer to peer network.
I have installed MS SQL 2022 (Developer) on one pc and SSMS on the other pc.
I can establish a connection via SA account and query the database as expected - so all firewall & ports are open and working. I can also share folders without it asking for credentials, so all networking is working.
However if i switch to Windows Auth in SQL2022 i get an SSPI error on the client - the SQL log does not register any attempt to login, suggesting the error maybe coming from the client before reaching the server.
ERROR: The target principal name is incorrect. Cannot generate SSPI context (Microsoft SQL Server)
I've always thought SSPI is typically related to active directory and a domain server, but this is a peer to peer network, so no AD or domain server. When SQL starts up, it notes in the log that it cannot create an SPN. I assume it's because it can't reach a domain server.
Each computer has the same user registered on both PCs using a MS Account style login with PIN. With SQL Server 2019, i could easily add a credential in the Cred Manager on the client to map my user account to appropriate account on the SQL pc.
example,
Credential: servername:firewallport
Name: peter or micorsoftaccount******@email.com or servername\peter (tried all of these)
Password: windows account password.
Using SQL 2019 the above credential worked no problems for last 3 years, also worked via a VPN to my office from home. However, I just setup a new test platform using SQL 2022 version and the Windows Auth won't work. ERROR: The target principal name is incorrect. Cannot generate SSPI context (Microsoft SQL Server)
I have tried to establish a connection using SSMS, Excel and VS2022 - all fail with the same error message. SQL Server config has named pipes and tcp enabled. Any ideas on where to look now?
Is there something i can add to the connection string to prevent SSPN context being required? have i missed something obvious. I have also tried starting SSMS as admin.
Windows for business Windows Client for IT Pros User experience Other
SQL Server Other
14,494 questions
3 answers
Sort by: Most helpful
-
Olaf Helper 47,436 Reputation points2024-02-20T06:33:25.8466667+00:00 -
Peter Halbert 0 Reputation points
2024-02-20T09:01:40.6966667+00:00 Thanks for the reply and i agree, it usually works. But in this instance, no luck. same user on both pc's, same password, both using the standard Microsoft account login. As i noted, it works when using 2019, just not with latest version of SQL 2022.
-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator2024-02-20T22:57:12.8166667+00:00 For what it's worth, I have no problems connecting to SQL 2022 on other machines with integrated authentication, and all I have is a workgroup. And as Olaf says, username and password is the same everywhere.
-
Peter Halbert 0 Reputation points
2024-02-21T05:02:23.5133333+00:00 @Erland Sommarskog interesting that you have it working on the P2P network.
That gives me hope.
Can you check your SQL server's log on the none-domain peer and see if it registers an SPN successfully.
On mine, it fails, with log message as below - but i assumed it failed because it's not connected to a domain server.
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/myComputerName ] for the SQL Server service. Windows return code: 0xffffffff, state: 63. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.>
-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator
2024-02-21T22:17:24.3233333+00:00 I do indeed have the very same error messages in my SQL Server errorlogs. I would expect that you have them on you SQL 2019 instances as well.
But what does this mean:
Each computer has the same user registered on both PCs using a MS Account style login with PIN. With SQL Server 2019, i could easily add a credential in the Cred Manager on the client to map my user account to appropriate account on the SQL pc.> example,> Credential: servername:firewallport> Name: peter or micorsoftaccount******@email.com or servername\peter (tried all of these)> Password: windows account password.
Where are you supply this information? When you log in with Windows authentication, you give none of the above.
-
Peter Halbert 0 Reputation points
2024-02-22T06:58:38.6566667+00:00 @Erland Sommarskog Thanks for confirming you error logs.
The user accounts were created a MS accounts, using a MS (email/password) validation page which also set up a PIN. This where I think the problem is, because i did NOT create a 'local' account and later convert it to a MS account, the system does not fully my actual username/password.
I just read online, that i can switch between a local acct and a MS acct without losing apps or files, but I may lose some functionality while doing so. However, by creating an actual Local User i think I may be able to sign in from a different computer, even after i have converted back to a MS Account. (the key is setting the local acct up with a pw)
I think my other computers (with SQL19), were originally created with local accts (back about 3yrs ago) and then converted to MS accts, and that's why they have worked todate.
I'm going to try this now and will let everyone know if it works.
Regarding your note about what does this mean, i was referring to setting up a 'credential' in the windows Credential Manager App. I've been using it to map usernames for SLQ server when accessing over a VPN into my office - works great in my current setup, just not the knew one, yet!!! see this link for info https://www.mssqltips.com/sqlservertip/3250/connect-to-sql-servers-in-another-domain-using-windows-authentication/
Sign in to comment -
-
ZoeHui-MSFT 41,491 Reputation points2024-02-21T01:35:24.3533333+00:00 Hi @Peter Halbert,
Check it out here to see if you miss any steps.
Also check this same thread to see if it is helpful.
Regards,
Zoe Hui
If the answer is helpful, please click "Accept Answer" and upvote it.
-
Peter Halbert 0 Reputation points
2024-02-21T05:09:05.77+00:00 @ZoeHui-MSFT thanks for the links, unfortunately these articles relate to having a Domain Controller, and i have a P2P network. That said, I did try to use SETSPN but I don't seem to be able to get it to work using the examples provided and neither can my instance of SQL server 2022 which shows in the log at startup;
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/myComputerName] for the SQL Server service. Windows return code: 0xffffffff, state: 63. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.>
Sign in to comment -
-
Peter Halbert 0 Reputation points
2024-02-22T08:07:31.9366667+00:00 Solved this problem after reading a lot of web pages and some very helpful articles. Thanks to everyone who commented on this page as it helped me to solve the problem.
The quick answer in short is; you must create a Local Account with the same credentials as your MS account.
Why? By default, when installing a new copy of Windows 11 the setup recommends that you use a Microsoft Account to login with. For most people, that's no big deal as you can simply create an account @ MS with an email like (******@hotmail.com, ******@outlook.com). When you create an account, your PW is saved to a secure MS site and not your pc. This improves security because you don't have to enter your password every time you log into Windows 11. Windows 11 setup also recommends that you create a pin, use facial rec or a fingerprint to further secure your account. Once all that's done, the setup creates a special account on the Windows 11 pc typically using the firstname of your email address (you can also edit it). But wait, here's the kicker. The standard user account/password is not fully initialised. So apps like SQL cannot authenticate. And this where you must convert the MS account to a Local Account, save your username/pw combination and then convert back to a MS account (going back to MS Account is optional, but without it you'll lose features, like roaming, syncing data and other key features).
How For those of you who want to try this, just follow this text guide (courtesy of Copilot AI)
- To switch from a Microsoft account to a local account, open Settings > Accounts > Your Info, click Sign in with a local account instead, confirm your Microsoft account password, enter a username and password for the local account, and sign out. You can then sign in with the local account credentials.> - To switch from a local account to a Microsoft account, open Settings > Accounts > Your Info, click Sign in with a Microsoft account instead, enter your Microsoft account email and password, and sign in. You can then use your Microsoft account to access various online services and sync your settings across devices.
That's it. Once you have created a Local Account (and optionally converted back again) on any PC that's needs to connect to an instance of SQL server on another PC (same workgroup), you're good to go. If you need to cross domains (ie, to another network domain) see this link for a helpful guide using Credential Manager.
-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator
2024-02-22T22:03:19.64+00:00 Thanks for sharing the solution!
I very carefully avoid creating a Microsoft account when I install Windows, even if Windows 11 is making this harder and harder. With the original Win11 Setup, you could just pull the network cable, but later builds require that the cable is plugged back. But I found some other tricks on Google.
Sign in to comment