Wednesday, February 10, 2010

Cannot generate SSPI context. (Microsoft SQL Server)

When logging into an SQL 2005 server you may experiance the following error:

Cannot generate SSPI context. (Microsoft SQL Server)



The "Cannot generate SSPI context" error is generated when SSPI uses Kerberos to delegate over TCP/IP and Kerberos cannot complete the necessary operations to successfully delegate the user security token to the destination computer that is running SQL Server.

There is a number of causes for this error, they can be found here:

http://support.microsoft.com/kb/811889

In my case I am currently doing a domain migration to a new forest. As part of the ADMT Migration process you need to migrate service accounts. When the ADMT Agent replaced the service account for my SQL services to use the domain in the other forest, this error started occuring.

The reason is SSPI (Security Support Provider Interface) requires that its service accounts be located in the same active directory forest. It doesnt matter if they are in other domains, it just must be the same forest. To get around this I just set all the SQL services to "Local System" instead of using the service account for the migration. When the SQL server gets migrated to the new domain, these accounts can be set back to service accounts.



If you are having this issue I highly recommend a full read of Microsoft KB811889 as it explains this in great detail.

No comments:

Post a Comment