This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 17%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hi,
How can I fix this within AD. It looks like AD auth failure from one of our sql server. Any idea what exactly the error code is - 0x80090311
Error log:
"SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. No authority could be contacted for authentication. "
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 69%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
The literal in winerror.h is SEC_E_NO_AUTHENTICATING_AUTHORITY which translates to the message "No authority could be contacted for authentication" which you already have in the message. It means no DC was able to be contacted to validate the credentials or login.
Hi Sean,
Is there a way that I can see a log in SQL server which DC server it is tried to make a contact for authentication. Or is there a way I can see the authentication failures in DC for these type of requests.
And other error log from SQL:
"Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."
Thanks
SQL Server does not keep any type of log about what DC is used by Windows, as it is Windows that carries out the authentication, SQL Server just asks Windows to do this. You can do network and ADDS traces to see the traffic coming and going to figure it out. Additionally there will be a default DC the computer is set to use (though any others can be used) which you can see in your environment variable "LOGONSERVER".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
It seems that you SQL server is unable to contact a domain controller.
Check if the DNS resolution is working fine to resolve the Domain name on your SQL server and if all required network flow are opened with domain controllers. You can use the PortQry to check the network ports between the SQL server and domain controllers:
Please Don't forget to mark helpful reply as answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 46%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi pavankumar-6152,
If your logon domain differs from the domain of the computer that is running SQL Server, please check the trust relationship between the domains.
And please make sure SPN's correctly registered with Active Directory. Please refer to Register a SPN for Kerberos Connections which might help.
Please try to add the SQL Server Service account to "Access this computer from network" Policy under Local Security Policy -> Local Policies -> User Rights Assignment -> Access this computer from network".
You can collect Netmon and see all the connections and communication happening from Client to SQL Server.
In addition, please make sure the computer name is less than 15 characters. Please refer to this blog.
Best Regards,
Amelia
