Explicit misplaced SPN problem in SQL Server

This article helps you resolve a SQL Server consistent authentication problem that affects the explicit misplaced Service Principal Name (SPN).

Symptoms

If the SPN that you specify in the connection string exists on a service account that's not used by Microsoft SQL Server, you receive a Security Support Provider Interface (SSPI) context error message.

If the SPN isn't registered correctly, you might receive the following error message:

The target principal name is incorrect. Cannot generate SSPI context.

If you try to create an SPN that already exists, you receive the following error message:

Duplicate SPN found, aborting operation!

Cause

The explicit misplaced SPNs can cause issues in Kerberos authentication and prevent clients from connecting to the service.

Resolution

If you are experiencing explicit misplaced SPNs, you might have to create or re-create the SPN for the service. To create or re-create the SPN by using the SETSPN command, follow these steps:

1. Run the SETSPN -L domain\svcacct command to list SPNs on the SQL Server service account.
2. Run the SETSPN -Q spnName command to learn which service account the SPN is registered on.
3. Run the SETSPN -D command to remove the SPN from the service.
4. Run the SETSPN -A command to add the SPN to the service.
5. Move the SPN by using SETSPN -D, or select an SPN that already exists in the correct account.

More information

Consistent authentication issues in SQL Server