When you encounter this error "Can not generate SSPI context" when connecting to SQL Server or if this error is generated in the Event Viewer Server SQL Server can be caused by the following reasons:
1. Time differences between SQL Server and the client tries to connect
2. Time zone differences between SQL Server and the client tries to connect
3. Differences in hours between SQL Server and the domain controller
4. No record was made for SQL Server SPN, the SPN is used by Kerberos.
An SPN for SQL Server consists of the following:
- ServiceClass : It identifies the general class of service. This is always MSSQLSvc for SQL Server.
- Host: This is the DNS domain name of the computer you are running SQL Server.
- Puerto : This is the port number on which the service is listening.
For example, a typical SPN for a computer running SQL Server is:
MSSQLSvc / SQLSERVER.CONTOSO.COM: 1433
Once these SetSPN SPN with the command, you should check the configuration of DNS servers, for this run the ping command and ping SQLServer-a [IPaddress] these commands must respond appropriately server name and the corresponding IP. If this is not the case then you should fix your DNS so that the security of SQL Server to function properly.
When you start an instance of SQL Server service is running under a domain account, it tries to register its own SPN in Active Directory using an API call DsWriteAccountSpn. If the call is unsuccessful, the following warning is logged in Event Viewer:
MSSQLServer EventID: 19011 Description: SuperSocket Info: (SpnRegister): Error 8344.
To grant the SQL Server service to automatically configure the SPN can then follow these steps:
- To configure the SQL Server service to create SPNs dynamically, you must modify the access control settings for the account in the Active Directory directory service. You must grant permissions "Read ServicePrincipalName" and "Write ServicePrincipalName" for the user running the SQL Server.
This configuration is done using the ADSI Edit, the following steps ( http://support.microsoft.com/kb/811889/es ):
- Click Home and Run, type Adsiedit.msc click OK .
- In the ADSI Edit snap, expand Domain [DomainName ] , expand DC = RootDomainName , expand CN = Users , click the right mouse button CN = AccountName and then click Properties .
- Table Properties dialog CN = AccountName , click the Security tab .
- Security tab , click Advanced .
- dialog box Advanced Security Settings, make sure CURRENT shown below Permission entries. CURRENT
If not listed, click Add and then add CURRENT . In - Permission entries, click CURRENT and then click Modify .
- dialog box Permission Entry, click the Properties tab .
- tab Properties, click This object only listed Apply, and then make sure the boxes for the following permissions are selected under Permissions :
- ServicePrincipalName Read Write ServicePrincipalName
- Click three times in OK and then quit the ADSI Edit.
Greetings,
Mr. Eduardo Castro MartÃnez, PhD - Microsoft SQL Server MVP
http://tiny.cc/comwindows
Costa Rica
LiveJournal Tags: SQL Server
http://ecastrom. spaces.live.com
http://universosql.blogspot.com
http://todosobresql.blogspot.com
http://todosobresqlserver.wordpress.com
http://mswindowscr.org/blogs/sql/default.aspx
http://citicr.org/blogs/noticias/default. aspx
http://sqlserverpedia.blogspot.com/
