- The error cannot generate SSPI context can prevent the admin and users from accessing their server.
- To fix this error, you need to change the Active Directory permission.
The target principal name is incorrect – cannot generate SSPI context error on SQL Server occurs when trying to make a connection on SQL Server from a remote server with a Windows account.
This is a generic error. It can be triggered due to many reasons, including an outdated password, clock drift, failure to register an SPN, or Active Directory access permission.
In this article, we take a look at a few troubleshooting steps to help you resolve the cannot generate SSPI context error on the Windows server.
How can I fix the cannot generate SSPI context error?
1. Change SQL Service User
Try changing the SQL SERVICE user with the one that is Domain Admin. When you shut down the service, you need an account with privileges to create a new SPN (Service Principal Name).
When a service starts without it, it will trigger the error. Changing the privileges of your system account can fix the error.
However, it is always recommended for service accounts to give them the least privileges due to security reasons. Follow the steps below to remove the SPN entries from AD users and computers:
- Open the Active Directory User and Computers in Advanced View.
- Look for the SSPN entries for MSSQL Svc.
- Remove all the entries associated with MSSQL Svc.
- Close AD User and Computers and check for any improvements.
- Change Active Directory permission.
2. Check your password
The error cannot generate SSPI context can occur due to password issues. If you have recently changed your password but haven’t logged out of your account, it can trigger the error.
Try logging out and then signing in with the new password to fix the error.
In other instances, the issue could be due to password expiration. Change the expired password and log in with the new credentials to see if that resolves the error.
3. Change Active Directory permission
- Run Adsiedit.msc from the Run dialog box.
- In the Active Directory Service window, expandDomain [YourDomainName], then expand DC = RootDomainName, and then CN = Users.
- Right-click on CN= [YourAccountName] and select Properties.
- Open the Security tab.
- Click on the Advanced option.
- Select any one of the SELF rows.
- Click Edit and then the Open Permission Entry window.
- Here, make sure the Principal is set to SELF, Type is set to Allow, and Applied to is set to This Object Only.
- In the Properties section, select the following:
- Read servicePrincipalName
- Write servicePrincipalName
- Click OK to apply the changes and exit.
Try establishing a new connection and check if they cannot generate the SSPI context error resolved. Make sure you restart the SQL Services that are associated with the current account to apply the changes.
Changing the Active Directory permission is a safe option than changing the SQL server user. However, before you proceed to change the permission, make sure the problem is triggered due to permission issues.
Log in to the server where your SQL instance is running, and then check the error logs to check if the error is triggered due to permission problems.
The error that cannot generate SSPI context can occur due to permission as well as expired credentials issues. Changing the password and permission should help you fix the error and log back into your SQL server.
If you are facing other issues like Microsoft SQL Server error 18456, check our detailed guide to fix it.
Feel free to let us know the solution that helped you fix this issue in the comments below.