This can be caused when there are more than one entry for a SQL Server entry in Kerberos. Sometimes it is caused when a SQL Server is installed under one domain user and is then is switch to another.
Technet article: How to troubleshoot the "Cannot generate SSPI context" error message
https://support.microsoft.com/en-us/kb/811889?wa=wsignin1.0
Really good description but no examples:
How Windows Server 2012 Eases the Pain of Kerberos Constrained Delegation, Part 2
Basically you delete the existing entries and make new ones. You have to be an AD admin to make the deletions.
Commands of use:
List Command
setspn -L [Machine name if default instance]
C:\windows\system32>setspn
-L wkonedev01
Registered
ServicePrincipalNames for CN=WKONEDEV01,OU=Member Servers,DC=******,
DC=com:
MSSQLSvc/WkOneDev01.******.com:1433
MSSQLSvc/WkOneDev01.******.com
WSMAN/wkonedev01.******.com
TERMSRV/wkonedev01.******.com
RestrictedKrbHost/wkonedev01.******.com
HOST/wkonedev01.******.com
WSMAN/WKONEDEV01
TERMSRV/WKONEDEV01
RestrictedKrbHost/WKONEDEV01
HOST/WKONEDEV01
Delete
Command
setspn -D
MSSQLsvc/[Machine Name].[Domain].com:1433 [Domain]\[Domain User Name]
C:\windows\system32>setspn
-D MSSQLsvc/wkonedev01.******.com:1433 ******\wkone
dev01server
Unregistering
ServicePrincipalNames for CN=wkonedev01Server,OU=Service Accounts,
DC=*******,DC=com
MSSQLsvc/wkonedev01.*******.com:1433
Updated object
Safe Add Command
setspn -S MSSQLsvc/[Machine Name].[Domain].com:1433 [Domain]\[Domain User Name]
C:\windows\system32>setspn
-A MSSQLsvc/wkonedev01.*******.com:1433 ********\wkone
dev01server
Registering
ServicePrincipalNames for CN=wkonedev01Server,OU=Service Accounts,DC
=********,DC=com
MSSQLsvc/wkonedev01.********.com:1433
Updated object
After the commands make sure AD is given time to update the DNS then run
C:>ipconfig /flushdns
C:>ipconfig /renew
No comments:
Post a Comment