Re: cannot generate sspi context when server in mixed authenticati

If you are getting SSPI error, something is attempting to use
Kerberos...even if that was not your intention. This is more of an Active
Directory issue than SQL Server, so I'm pretty much at the end of my
knowledge base...

--
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm

Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com


"DBA72" <DBA72@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6C11E262-B916-42BA-A294-A16FD71FE5C0@xxxxxxxxxxxxxxxx


"Kevin3NF" wrote:

A domain admin will need to create an SPN for the SQL Server service
manually using SetSPN or ADSI (I think)

Local system or domain admin starting sql does this
automatically...domain
user does not

--
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm

Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com


"DBA72" <DBA72@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F01518D8-9430-49AB-95AC-076BF1C5CF84@xxxxxxxxxxxxxxxx
It is starting with a domain user account.

"Kevin3NF" wrote:

What is SQL Server service starting as...local system, domain user or
domain
admin?

--
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm

Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com


"DBA72" <DBA72@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:65AFAA64-4847-4034-8745-211ED18ACB0E@xxxxxxxxxxxxxxxx
We have a situation for which I have been trying to find an
explanation
for
over a week. A windows 2005 SP1 server which previously ran in
Windows
authentication only suddenly caused "cannot generate sspi context"
errors
after we switched it to mixed authentication mode.

-SQL service is running with domain account not trusted for
delegation
-We have checked for invalid SPNs in the domain and there are none
registered for the SQL Service on this machine
-TCP/IP protocol is enabled on the server
-Named Pipes connections work fine
-After switching back to Windows authentication and clearing the
ticket
cache the problem dissapears

If I understand correctly. The default authentication protocol used
over
tcp/ip when connecting to SQL Server is Kerberos but if the client
cannot
find a valid SPN for the SQL Service on the server then it should
fall
back
to NTLM. For some reason however, this is not happening as it
should.






Kevin,
I think you would be right if I was trying to use Kerberos but as I said,
this is not enabled for the sql service account. What I want to do is use
NTLM over tcp/ip


.

Relevant Pages

  • Re: Windows Authentication in asp.net 2005 to SQL Server?
    ... If the domains do not trust each other, Windows authentication is not going ... Basic authentication sometimes makes the need for Kerberos delegation go ... generic account to do the backend data stuff on our SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: I dont want to re-invent the Login/Login Wheel - Help with utilities
    ... Yes, if you use .NET1.1, there isn't built-in login control, and more importanltly there isn't ready-to-use membership component to use. ... the membership provider uses SQL Server or SQL Server Express. ... We feel that having the capability to force password change would be a better benefit in securing our application and data access. ... Both Windows authentication and authorization wolud be be fine if we wanted the world to have access to our application data, but not very intuitive for maintaining integrity over our data. ...
    (microsoft.public.vstudio.general)
  • RE: IIS (ASP) -> SQLServer Authentication Issue
    ... I understand that you'd like to use IIS Intergration authentication in the ... and ASP "impersonates" authencitaed users to access SQL Server on ... only kerberos authentication allows double-hops from clients ...
    (microsoft.public.sqlserver.security)
  • Re: SBS Premium Edition .. what way is SQL licenced
    ... Another thing to note in using your SQL Server as a backend database is the ... concept of Forms-based authentication and Integrated Windows authentication. ... thereby requiring individual CALs to access SQL Server. ... Chad A. Gross - SBS MVP ...
    (microsoft.public.windows.server.sbs)
  • Re: Integrated Authentication with SQL
    ... On the IIS level there is no trouble authenticating with kerberos. ... problem is in when I try to flow those credentials over to the SQL server. ... Successful Network Logon: ... Authentication Package: Kerberos ...
    (microsoft.public.dotnet.framework.aspnet.security)