- The error cannot generate SSPI context can prevent the admin and users from accessing their server.
- In this article, we explore the three ways to fix this error to get you back online.
- If the issue persists, check out our dedicated SQL Server page for more fixes.
- You can also explore our Troubleshooting Hub for more helpful solutions.
The target principal name is incorrect – cannot generate SSPI context error occurs when trying to make a connection on SQL Server from a remote server with a Windows account.
This is a generic error. It can be triggered due to many reason including an outdated password, clock drift, failure to register an SPN, or Active Directory access permission.
In this article, we take a look at a few troubleshooting steps to help you resolve the cannot generate SSPI context error on the Windows server.
How can I fix the target principal name is incorrect – cannot generate SSPI context error?
1. Change SQL Service User
Try changing the SQL SERVICE user with the one that is Domain Admin. When you shut down the service, you need an account with privileges to create a new SPN (Service Principal Name).
When a service starts without it, it will trigger the error. Changing the privileges of your system account can fix the error.
However, it is always recommended for service accounts to give them the least privileges due to security reasons.
Remove the SPN entries from AD Users and Computers
- Open the Active Directory User and Computers in Advanced View.
- Look for the SSPN entries for MSSQL Svc.
- Remove all the entries associated with MSSQL Svc.
- Close AD User and Computers and check for any improvements.
- Change Active Directory permission.
2. Check your password
The error cannot generate SSPI context can occur due to password issues. If you had recently changed your password, but haven’t logged out of your account, it can trigger the error.
Try logging out and then signing in with the new password to fix the error.
In other instances, the issue could be due to password expiration. Change the expired password and login with the new credentials to see if that resolves the error.
3. Change Active Directory permission
- Run Adsiedit.msc and from the Run dialog box.
- In the Active Directory Service window, expandDomain [YourDomainName], then expand DC = RootDomainName, and then CN = Users.
- Right-click on CN= [YourAccountName] and select Properties.
- Open the Security tab.
- Click on Advanced option.
- Select any one of the SELF rows.
- Click Edit and then the Open Permission Entry window.
- Here, make sure the Principal is set to SELF, Type is set to Allow, and Applied to is set to This Object Only.
- In the Properties section, select the following.
- Click OK to apply the changes and exit.
Try establishing a new connection and check if they cannot generate SSPI context error is resolved. Make sure you restart the SQL Services that are associated with the current account to apply the changes.
Changing the Active Directory permission is a safe option than changing the SQL server user. However, before you proceed to change the permission, make sure the problem is triggered due to permission issues.
Log in to the server where your SQL instance is running and then check the error logs to check if the error is triggered due to permission problems.
The error in the log will look something like this:
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/servername.domainname.net:1433 ] for the SQL Server service.
Windows return code: 0x2098, state: 15. Failure to register an SPN might cause integrated authentication to use NTLM instead of Kerberos.
This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
The error cannot generate SSPI context can occur due to permission as well as expired credentials issues. Changing the password and permission should help you fix the error and log back into your SQL server.