The target principal name is incorrect. Cannot generate SSPI context

Sai Siva Kumar Darapureddy 1 Reputation point

Hi Team,
We are getting the error "The target principal name is incorrect. Cannot generate SSPI context" when we try to connect to SQL Server thru SSMS over VPN. We are not facing this issue when we are inside LAN.

Thank you,
Sai Siva Kumar

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,102 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AmeliaGu-MSFT 13,961 Reputation points Microsoft Vendor

    Hi SaiSivaKumarDarapureddy-9902.

    Welcome to Microsoft Q&A.
    The "Cannot generate SSPI context" error is generated when SSPI uses Kerberos authentication to delegate over TCP/IP and Kerberos authentication cannot complete the necessary operations to successfully delegate the user security token to the destination computer that is running SQL Server.

    What SQL Server service account are you using? If you run the SQL Server service under the LocalSystem account, the SPN is automatically registered and Kerberos authentication interacts successfully with the computer that is running SQL Server. However, if you run the SQL Server service under a domain account or under a local account, the attempt to create the SPN will fail in most cases because the domain account and the local account do not have the right to set their own SPNs. Please refer to this doc to check if SQL Server startup account has permission to register and modify SPN.
    And if you are using Local System account, the middle server should be trusted for delegation in the active directory.
    Please refer to Configure the Server to be Trusted for Delegation.
    You can use Kerberos Configuration manager to help you troubleshooting SPN and delegation issues.
    Please refer to this troubleshooting article to use the tool step by step or check this article to register SPN manually.

    Best Regards,

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.

  2. cthivierge 4,056 Reputation points

    This error is generally caused by a Kerberos authentication that has failed.

    When you are from LAN and you open SSMS, if you make this query, what is the auth_scheme you get ?

    select auth_scheme from sys.dm_exec_connections where session_id=@@spid

    1 person found this answer helpful.