SQL 2012 on Server 2012 Kerberos error

I was challenged when standing up a new SharePoint 2013 farm.  My front-end servers could not connect to the SQL 2012 server.  I was getting this error: 

The target principal name is incorrect. Cannot generate SSPI context.

 and 

 Unknown SQL Exception 0 occurred. Additional error information from SQL Server is included below

 This brand new server build and SQL 2012 installation was installed on Server 2012.  I don't think the versions matter to this issue, though.  I was able to connect with the SQL server authentication using the SA account, but not with Windows authentication.  All the permissions were set up correctly.

 This error indicates a Kerberos error.  I didn't need to use Kerberos.  Somehow, either through my efforts or as part of the basic install, SPNs were set up on the computer account in AD.  I tried using the Users and Computer snap-in to verify there were no SPNs and the list on the Delegation tab was empty.

After toiling to no avail with other avenues, I ran the command line SETSPN and it showed a list of SPNs on my SQL host.

C:\>setspn -L

WSMAN/SQL2012
WSMAN/SQL2012.hc.org
MSSQLSvc/SQL2012.hc.org
MSSQLSvc/SQL2012.hc.org:1433
TERMSRV/SQL2012.hc.org
TERMSRV/SQL2012
RestrictedKrbHost/SQL2012
HOST/SQL2012
RestrictedKrbHost/SQL2012.hc.org
HOST/SQL2012.hc.org

I deleted the SQL registrations with this command:

C:\> setspn -D MSSQLSvc/SQL2012.hc.org

C:\> setspn -D MSSQLSvc/SQL2012.hc.org:1433

I restarted the SQL services and they wouldn't restart due to Logon Failure.  I set the services to use a local account and it worked.  I was able to connect to SQL remotely.

Solution was to use a local system account on the SQL services after deleting the SPNs.

Comments

Post a Comment

Popular posts from this blog

Robocopy Error 31 A device attached to the system is not functioning

I was migrating Windows file shares to NetApp CIFS shares using Robocopy. I was unable to copy owner information or NTFS Security (/COPY:DATSOU) without getting this Error:

ERROR 31 (0x0000001F) Copying NTFS Security to Destination Directory F:\PATH
A device attached to the system is not functioning.

I thought it may be the zone information on may of these files. I used the Sysintenals Streams utility to remove that information. It did not help.

In the end, I was forced to copy without NTFS information (/COPY:DATU)

When I viewed the properties of any share, folder, or file, the length of time to enumerate and display the permissions was exceedingly slow. I tried disabling anti-virus, etc. In the end, I had to manually re-create the permissions after the initial data copy. File ownership information was lost.

UPDATE: I ran a CHKDSK /F and following a reboot this robocopy functioned fine.


Read more

Exchange 2010 event errors 2601, 2604, 2501

In a recent migration from Exchange 2003/2007 to Exchange 2010, I ran into an issue where I had 2601, 2604, and 2501 errors.


Log Name:      Application
Source:        MSExchange ADAccess
Date:          4/8/2013 12:02:20 PM
Event ID:      2601
Task Category: General
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Exchange10.domain.org
Description:
Process MSEXCHANGEADTOPOLOGY (PID=1268). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account - Error code=8007077f. 
 The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.


and


Log Name:      Application
Source:        MSExchange ADAccess
Date:          4/8/2013 12:02:20 PM
Event ID:      2604
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     Exchange10.domain.org
Description:
Process MSEXCHANGEADTOPOLOGY (P…
Read more