Cannot generate SSPI context

[daglugub37]

any experience with this error.

Only 1 developer is having a problem authenticating to "most but not all" sql servers through query analyzer or enterprise manager. A SQL authentication will work.

Servers are set for mixed credentials and all is working fine for everyone else.

Reboot has not helped. The clients system is correct, he is authenticated on the domain.

 

[mrdenny]

This usually means that the server can't contact the domain controller to authenticate his account.

Is the user on a different Windows domain that the SQL Server?

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[daglugub37]

Were all on 1 big happy domain.

I agree that it seems to be some miscommunication between sql server and domain controller, but I would expect a larger scale if that was the case.

I had the user attempt from another PC and same error.

I think SQL Server is contacting the DC fine, but for some reason SQL won't agree that he is an authenticated domain member.

All other resources work fine for the user.

 

[mrdenny]

Sounds like his account is in some sort of transition. Have any changes been made to his account recently?

Are you a multi-site shop with SQL Servers in more than one site? If so any corrilation to the sites that he can't log into the SQL Servers of?

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[daglugub37]

we are all on site. The active directory account has not been modified in 3 weeks, when only a password was changed.

Here are some tidbits from the users event log

The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request

The Security System could not establish a secured connection with the server MSSQLSvc/. No authentication protocol was available.

The Security System could not establish a secured connection with the server exchangeMDB/. No authentication protocol was available.

Since it looks like there are some probs with authenticating to an exchange server also this is looking less SQL Server cause

 

[daglugub37]

also just 1 big happy site

 

[mrdenny]

From that it looks like something with Kerberos isn't happy.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[Catadmin]

Get your network people to put a sniffer on his box. Run TraceRt from a command prompt on his Desktop to the Server, see if the packets are getting dropped and how many hops they have to go through to get to the server.

Verify no new routers or firewalls have been added which might block off his subnet from the subnet the servers are on.

Run a diagnostic on his network card if all else fails and check that his user account hasn't been added to any AD groups which have DENY on any domain permissions or Group Security Policies that might be messing up with Kerberos.

There are ton of other things you could check, but those are the top on my list.



Catadmin - MCDBA, MCSA
"No, no. Yes. No, I tried that. Yes, both ways. No, I don't know. No again. Are there any more questions?"
-- Xena, "Been There, Done That"