A Database Server has been cloned. The Operating System is "Microsoft Windows XP Professional Version 2002 Service Pack 3"
. The Query Environment is "Microsoft SQL Server 2008 Management Studio 10.0.4000.0"
.
After cloning, the following behaviour has been noticed. While attempting to connect from outside the machine, yet within the same domain, the following error message can be read: "Cannot generate SSPI context. (.Net SqlClient Data Provider)"
.
From within the machine, it is possible to connect to the Database Server using the "Microsoft SQL Server 2008 Management Studio"
Query Environment.
However, when attempting to run the SQLCmd
command line tool, the following error is displayed:
C:\<Directory>>SQLCmd -S DBA2\<Instance> -i C:\<Directory>\<FileName>.SQL
HResult 0x80090322, Level 16, State 1
SQL Server Network Interfaces: The target principal name is incorrect.
Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Cannot generate SSPI context.
The ServicePrincipalNames
are set the following way:
C:\PROGRA~1\SUPPOR~1>setspn DBA2
Registered ServicePrincipalNames for CN=DBA2,CN=Computers,DC=<Company>,DC=com:
VProRecovery Backup Exec System Recovery Agent 7.0/DBA2.<Company>.com
HOST/DBA2
HOST/DBA2.<Company>.com
While running the "C:\PROGRA~1\SUPPOR~1\ADSIEDIT.MSC"
Support Tool from the Microsoft Windows XP Professional compact disk, we can see below the "ADSI Edit \ Domain [<Site>.<Company>.com] \ DC=<Company>,DC=com"
path the "CN=Computers"
leaf. In its "Properties"
dialog box, inside the "Security"
tab, below the "Group or user names:"
list, there is the "SELF"
entry. On pressing the "Advanced"
button, the "Advanced Security Settings for Computers"
dialog box is generated. On the "Permissions"
tab, under the "Permission entries:"
list, there also is an entry with the Name "SELF"
. By pressing the "Edit..."
button, the "Permission Entry for Computers"
dialog box is displayed. On its "Properties"
tab, in the "Permissions:"
list, there are no entries for the "Read ServicePrincipalName"
permission and for the "Write ServicePrincipalName"
permission.
This might be the reason why the following command fails:
C:\PROGRA~1\SUPPOR~1>setspn -r DBA2
Registering ServicePrincipalNames for CN=DBA2,CN=Computers,DC=<Company>,DC=com
HOST/DBA2.<Company>
HOST/DBA2
Failed to assign SPN to account 'CN=DBA2,CN=Computers,DC=<Company>,DC=com', 0x2098
Even if there were permissions in place for resetting the ServicePrincipalName
on the cloned Database Server, would that solve the connection both from SQLCmd
and from outside the machine, within the same domain?
Actually, yes, that solved the problem after the right permissions were set in the right place.
The ServicePrincipalNames
had to be set on the SQL
user, as follows:
C:\PROGRA~1\SUPPOR~1>setspn -a mssqlsvc/dba2:1433 <Company>\<UserName>
Registering ServicePrincipalNames for CN=<UserName>,OU=Reporting Security,OU=Security Groups,OU=Romania,DC=<Company>,DC=com
mssqlsvc/dba2:1433
Updated object
C:\PROGRA~1\SUPPOR~1>setspn -a mssqlsvc/dba2.<Company>.com:1433 <Company>\<UserName>
Registering ServicePrincipalNames for CN=<UserName>,OU=Reporting Security,OU=Security Groups,OU=Romania,DC=<Company>,DC=com
mssqlsvc/dba2.<Company>.com:1433
Updated object
C:\PROGRA~1\SUPPOR~1>setspn -l dba2
Registered ServicePrincipalNames for CN=DBA2,OU=Romania Machines,OU=Romania,DC=<Company>,DC=com:
VProRecovery Backup Exec System Recovery Agent 7.0/DBA2.<Company>.com
HOST/DBA2
HOST/DBA2.<Company>.com
C:\PROGRA~1\SUPPOR~1>setspn -l <UserName>
Registered ServicePrincipalNames for CN=<UserName>,OU=Reporting Security,OU=Security Groups,OU=Romania,DC=<Company>,DC=com:
MSSQLSvc/DBA2.<Company>.com:<Company>_RO
mssqlsvc/dba2.<Company>.com:1433
mssqlsvc/dba2:1433
Hopefully this might help somebody who could stumble into the same problem.
User contributions licensed under CC BY-SA 3.0