This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi Team,
We are getting the error "The target principal name is incorrect. Cannot generate SSPI context" when we try to connect to SQL Server thru SSMS over VPN. We are not facing this issue when we are inside LAN.
Thank you,
Sai Siva Kumar
stackoverflow.com/questions/32309922/the-target-principal-name-is-incorrect-cannot-generate-sspi-context
This link should help
This error is generally caused by a Kerberos authentication that has failed.
When you are from LAN and you open SSMS, if you make this query, what is the auth_scheme you get ?
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Hi SaiSivaKumarDarapureddy-9902.
Welcome to Microsoft Q&A.
The "Cannot generate SSPI context" error is generated when SSPI uses Kerberos authentication to delegate over TCP/IP and Kerberos authentication cannot complete the necessary operations to successfully delegate the user security token to the destination computer that is running SQL Server.
What SQL Server service account are you using? If you run the SQL Server service under the LocalSystem account, the SPN is automatically registered and Kerberos authentication interacts successfully with the computer that is running SQL Server. However, if you run the SQL Server service under a domain account or under a local account, the attempt to create the SPN will fail in most cases because the domain account and the local account do not have the right to set their own SPNs. Please refer to this doc to check if SQL Server startup account has permission to register and modify SPN.
And if you are using Local System account, the middle server should be trusted for delegation in the active directory.
Please refer to Configure the Server to be Trusted for Delegation.
You can use Kerberos Configuration manager to help you troubleshooting SPN and delegation issues.
Please refer to this troubleshooting article to use the tool step by step or check this article to register SPN manually.
Best Regards,
Amelia
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Amelia,
My co-op student's domain account has been working fine until yesterday he changed his password.
He get this error (as the question on the subject) on all servers (SQL Server 2019) that he could connect before he changed password.
I think it has something wrong on his account, not on SQL Server 2019 configuration.
How to fix this issue?
Thanks,
Xiaogang
Hi @Sai Siva Kumar Darapureddy ,
How are things going? Do the answers help you?
Please feel free to let us know if you have any other question.
If the post in the thread is helpful, you could kindly accept it as answer.
Best Regards,
Amelia