Share via

SSPI Error when connecting from Intune Managed AVD to SQL Host using SSMS

Jason P 116 Reputation points
2024-07-05T12:59:15.8366667+00:00

Hi All,

I have a problem when trying to connect to a SQL Server using SSMS via an Entra joined and Intune Managed AVD.

The SQL host is in an AD DS where accounts are synced to Entra AD.

The error I get is :

The target principal name is incorrect. Cannot generate SSPI context.

I checked up on this and it talks about SPN not being registered. I set up the service account to register the SPN and I still get the error. Then I removed those registrations and manually created them using the Computer account details. That has not worked either.

I used Kerberos Configuration Manager and is shows up all good. SQLCheck also showed up showing the SPNs when I manually created them. It does not show up when the service account creates them, but from reading that is how it should be (That the service account has the permissions to create the SPN, which it has done)

Does anyone have an idea what could be the issue here.

Thanks

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,270 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,693 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. LucyChenMSFT-4874 2,985 Reputation points
    2024-07-08T03:08:55.74+00:00

    Hi @Jason P,

    Thank you for your reaching out and welcome to Microsoft Q&A!

    It seems that it is a known issue, please refer to this official document "Cannot generate SSPI context" error when using Windows authentication to connect SQL Server.

    Hope this can help you understand well!

    Feel free to share your issue here if you have any concerns!

    Best regards,

    Lucy Chen

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    https://docs.microsoft.com/en-us/answers/support/email-notifications

  2. LucyChenMSFT-4874 2,985 Reputation points
    2024-07-09T05:44:49.5033333+00:00

    Hi @Jason P,

    Thank you for your kindly feedback and welcome to Microsoft Q&A!

    From this article, we can understand the causes of error message:

    “The target principal name is incorrect. Cannot generate SSPI context”

    • Misconfiguration of SPN
    • Domain Connectivity Issues
    • Firewall Settings
    • Time Synchronization Issues
    • Active Directory Issues
    • Authentication Protocol Issues

    You can follow the steps in this article to troubleshoot the error message. Using Kerberos Authentication is one of the solutions in this article.

    Creating the SPNs manually or having them created by the service that starts the process does not fix the problem. I still get the SSPI error.

    Please ensure you created the SPN successfully and used the correct way.

    In addition to the methods I mentioned, this article provides another method, you can check it out! Hope this can help you well!

    Feel free to share your issue here if you have any concerns.

    Best regards,

    Lucy Chen

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    https://docs.microsoft.com/en-us/answers/support/email-notifications

  3. Jason P 116 Reputation points
    2024-07-11T14:21:58.4566667+00:00

    I fixed the issue. It was all relating to this article:

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#create-a-kerberos-server-object

    Once the Kerberos object was created everything started working.

    0 comments