SQL 2012 on Server 2012 Kerberos error

I was challenged when standing up a new SharePoint 2013 farm.  My front-end servers could not connect to the SQL 2012 server.  I was getting this error: 

The target principal name is incorrect. Cannot generate SSPI context.

 and 

 Unknown SQL Exception 0 occurred. Additional error information from SQL Server is included below

 This brand new server build and SQL 2012 installation was installed on Server 2012.  I don't think the versions matter to this issue, though.  I was able to connect with the SQL server authentication using the SA account, but not with Windows authentication.  All the permissions were set up correctly.

 This error indicates a Kerberos error.  I didn't need to use Kerberos.  Somehow, either through my efforts or as part of the basic install, SPNs were set up on the computer account in AD.  I tried using the Users and Computer snap-in to verify there were no SPNs and the list on the Delegation tab was empty.

After toiling to no avail with other avenues, I ran the command line SETSPN and it showed a list of SPNs on my SQL host.

C:\>setspn -L

WSMAN/SQL2012
WSMAN/SQL2012.hc.org
MSSQLSvc/SQL2012.hc.org
MSSQLSvc/SQL2012.hc.org:1433
TERMSRV/SQL2012.hc.org
TERMSRV/SQL2012
RestrictedKrbHost/SQL2012
HOST/SQL2012
RestrictedKrbHost/SQL2012.hc.org
HOST/SQL2012.hc.org

I deleted the SQL registrations with this command:

C:\> setspn -D MSSQLSvc/SQL2012.hc.org

C:\> setspn -D MSSQLSvc/SQL2012.hc.org:1433

I restarted the SQL services and they wouldn't restart due to Logon Failure.  I set the services to use a local account and it worked.  I was able to connect to SQL remotely.

Solution was to use a local system account on the SQL services after deleting the SPNs.

Comments

Post a Comment

Popular posts from this blog

Exchange 2010 event errors 2601, 2604, 2501

In a recent migration from Exchange 2003/2007 to Exchange 2010, I ran into an issue where I had 2601, 2604, and 2501 errors. Log Name:      Application Source:        MSExchange ADAccess Date:          4/8/2013 12:02:20 PM Event ID:      2601 Task Category: General Level:         Warning Keywords:      Classic User:          N/A Computer:      Exchange10.domain.org Description: Process MSEXCHANGEADTOPOLOGY (PID=1268). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account - Error code=8007077f.   The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. and Log Name:      Application Source:        MSExchange ADAccess Date: ...
Read more

"The following factors also affect the level of access for" user with excess permissions

Image
I have a user that had access to site settings, all content, etc. I double checked her access and it was read only but the permissions check tool showed a panel beneath the site permissions that showed Allow for many categories. She had full control. "The following factors also affect the level of access for" She was added as a Site Collection Administrator. I don't know who would have added her there, but someone had. If you find this type of issue, that should be the first thing you check. You can also check the Web Application User Policy in Central Admin. That's the other area I find people or groups with elevated permissions.
Read more

Robocopy Error 31 A device attached to the system is not functioning

I was migrating Windows file shares to NetApp CIFS shares using Robocopy. I was unable to copy owner information or NTFS Security (/COPY:DATSOU) without getting this Error: ERROR 31 (0x0000001F) Copying NTFS Security to Destination Directory F:\PATH A device attached to the system is not functioning. I thought it may be the zone information on may of these files. I used the Sysintenals Streams utility to remove that information. It did not help. In the end, I was forced to copy without NTFS information (/COPY:DATU) When I viewed the properties of any share, folder, or file, the length of time to enumerate and display the permissions was exceedingly slow. I tried disabling anti-virus, etc. In the end, I had to manually re-create the permissions after the initial data copy. File ownership information was lost. UPDATE: I ran a CHKDSK /F and following a reboot this robocopy functioned fine.
Read more