If you are using Microsoft SQL Server, you may run across an error message similar to “Target Principal Name Is Incorrect. Cannot Generate SSPI context” often when trying to connect to your databases. This issue can arise when either Kerberos authentication is not successful or there may be issues with the Active Directory or the domain controller.
Step By Step Solution
Check Server Time and Clock synchronization
- This is the first step that should be taken to ensure the “Target Principal Name Is Incorrect. Cannot generate SSPI context” error is not from a time skew. Make sure the time and clock on server where SQL instance is installed, as well as active directory server are fully synchronized.
Run a klist purge
- On the servers listed in the Step 1, run a klist purge. This will clear Kerberos tickets cached on the server and assign them new tickets.
- To run the command, open a command prompt and type the following command, with admin privileges
Klist purge
Check active directory permissions
- Use Microsoft Management Console to verify that the service accounts of SQL server instance have Specific set of permission in active directory.
- If not, assign specific permission of active directory to the service account. Then restart the service of MS SQL server instance.
Reset Service Account
- Reset the service account of the SQL server instance by changing the “Allow Service to Interact with Desktop” setting in the Log On tab.
- After this is done, restart the service.
Delete SPN ( Service Principal Name )
- If the error message still exists, delete the Service Principal Name (SPN) in active directory and restart the SQL server instance.
- To delete the SPN in active directory, use the following command
setspn -d MSSQLSvc/FQDN:port Domain\accountname
FAQ
Q1. What does 'Target Principal Name Is Incorrect' mean?
A1. This error occurs when the Kerberos authentication fails, when Active Directory does not recognize the SPN or when the domain controller experiences issues.
Q2. How do I check server time and clock synchronization?
A2. To check the time and clock synchronization, you should check the server where the SQL instance is installed and the active directory server. If they are synced, they will show the same time. If not, you should synchronize them.
Q3. What is the command needed to reset service account?
A3. To reset the service account, you will need to go to Log On tab in service properties and change the 'Allow Service to Interact with Desktop' setting. After this is done, restart the service.
Q4. How to delete SPN?
A4. To delete the SPN in active directory, use the following command: setspn -d MSSQLSvc/FQDN:port Domain\accountname
Q5. What is Kerberos Authentication?
A5. Kerberos authentication is an authentication protocol that runs on networks where authentication information is passed between a client and a server. It is an authentication protocol used to provide secure communication over a network.