The “Cannot generate SSPI context” error when an application or client is attempting to connect to a SQL Server can be a frustrating one to resolve.
I recently encountered this issue and this is a braindump of notes that may help others, resolve it in as short a time as possible.
What Does “Cannot generate SSPI context” Mean?
Error message “Cannot generate SSPI context” error is generated when SSPI uses Kerberos authentication to delegate over TCP/IP and Kerberos authentication cannot complete the necessary operations to successfully delegate the user security token to the destination computer that is running SQL Server. ref: MS
How To Resolve
- Try to verify the domain account the client is using from a different Server that the affected one. This will help to narrow down whether you are dealing solely with one server issue, or a more general issue
- Attempt to connect to the SQL instance from the affected client with a SQL only username. If this is successful there is a likely a problem with domain authentication from the client to the SQL Server
- Check that the DNS servers are correctly set
- Check for AD and DNS errors as well as checking the error logs on the affected client and the SQL Server
As a result of the checks below, hopefully you have found something amiss.
When I experienced this issue it came down to incorrect DNS settings on the client.
Knowledge base articles on the SSPI context error
- “Cannot Generate SSPI Context” error message, Poisoned DNS
- SQL Server connectivity, Kerberos authentication and SQL Server SPN (Service Principal Name for SQL Server)
- How to troubleshoot the “Cannot generate SSPI context” error message
Share Your Thoughts and Solutions
If you manage to resolve this issue and it was something we haven’t covered in this article, please leave us a comment and let us know what happened and how you figured it out.