SQL Server 2008 “Can’t Generate SSPI Context” error on remote connection

While trying to setup a remote connection to a new SQL Server 2008 installation which uses Windows authentication (aka Kerberos) I encountered this error:


Can't generate SSPI context

A good high level explanation of what causes the error can be found on MSDN and a detailed explanation can be found at Microsoft Support but neither article has any detailed explanation of how to fix the problem.

In my case, during install, I had the server start under my user name when I should have instead had it start under the Network Service group. This is a problem because when user Bob tries to log into the server remotely, my user (the one the server is running under) doesn’t have the necessary permissions to run as Bob so Bob gets an error that SSPI can’t be generated. To fix this I needed to change the user that SQL Server runs under to Network Service. To do this:

  1. Open the Task Manager and go to the Services tab
  2. Click the Services button in the lower right corner
  3. Sort by name and find all the SQL entries
  4. In the “Log on as” column you should see some of the services have a user name. For each:
    1. Right click and select Properties
    2. Select the Log On tab
    3. Make sure This account is selected
    4. Fill in Network Service in the box next to “This account”
    5. Delete both passwords
    6. Click Ok
  5. Restart the SQL Server

This should cause the server to run under Network Service instead of a particular user.

Some extra technical details about my setup:

  • The SQL Server was already setup to accept remote connections
  • The Windows Firewall was already setup to accept incoming SQL requests
  • The SQL Server was configured to accept incoming TCP requests

4 Responses to SQL Server 2008 “Can’t Generate SSPI Context” error on remote connection

  1. fakhteh says:

    i did all you mentioned but still getting that error

  2. vasu says:

    Thanks

  3. col says:

    If you need to run the SQL Server service under a domain account but are getting this error you can:
    (1) Temp add your SQL Server service account to Domain Admins
    (2) Restart the SQL Server services on your server
    This will allow the SPN to be created.
    (3) Remove the SQL Server service from Domain Admins.
    You should now be able to connect even when SQL Server is restarted as the SPN is only created once.

  4. Brittny says:

    Heya! I hope you do not mind but I decided to submit your site: http://kamivaniea.com/?p=295 to
    my on-line directory. I used, “SQL Server 2008

Leave a Reply

Your email address will not be published.