Kerberos, SPNs, and the Dreaded “Cannot Generate SSPI Context” Error

Randy Knight

Whether you’re a SysAdmin, DBA, Developer, or even an end user, or if you’ve been working with SQL Server for any length of time, you’ve likely seen the error “Cannot Generate SSPI Context” when trying to connect using Windows Integrated Authentication. It may be intermittent, affecting only certain users or computers, or it could be widespread. Either way it is not a particularly user-friendly or intuitive error. Additionally, too many applications default to standard authentication because it’s “easy” and has less moving parts and things to go wrong. However, it is also inherently insecure, particularly when care is not taken to store passwords in a secure location such as Azure Key Vault.

In this demo heavy session, we will dive into the internals of Active Directory Integrated Authentication, Kerberos, and how SQL Server uses it. We’ll look at Service Principal Names (SPNs), how they are created and managed, and what can go wrong. The Kerberos “double-hop” scenario will be explained, along with how to configure the environment to support multi-hop scenarios such as linked servers using impersonation.

Tools such as the Microsoft Kerberos Authentication Manager, setspn.exe, and DBATools Powershell commands will be used to troubleshoot and configure the environment. Attendees will walk away with a set of tools and scripts for working with Kerberos in SQL Server.