Have you ever run into an SSPI error in SQL Server Management Studio (SSMS)? In this blog entry, we will show you 2 ways you can fix your SSPI error in SQL Server.
SSPI Error:
Cannot connect.
The target principal name is incorrect. Cannot generate SSPI context
Details
User with sysadmin level SQL Instance right is unable to connect to SQL Server instance
when connecting from a Windows Server 2008 or Windows 7 client.
The user is unable to connect to the SQL Server Instance and receives the above error.
When connecting directly on the server the user is able to connect to SQL Server instance.
Problem
Power users often belong to many groups in Active Directory to control access to system resources. Each group the user belongs to must also be sent along with the authentication token during the authentication process. The default value for the MaxTokenSize is 12,000 bytes. These groups add to the overall size of the token and when a user belongs to several groups the size of the token exceeds 12,000 bytes.
Solution 1
Reduce the number of groups the user belongs to.
Solution 2
On all systems that are involved in the authentication process modify the registry value for MaxTokenSize as follows:
- Start Registry Editor (Regedt32.exe)
- Locate and click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos\Parameters - If this key is not present, create the key. To do so:
- Click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos - On the Edit menu, click Add Key.
- Create a Parameters key.
- Click the new Parameters key.
- Click the following key in the registry:
- On the Edit menu, click Add Value, and then add the following registry value:
- Value name: MaxTokenSize
- Data type: REG_DWORD
- Radix: Decimal
- Value data: 48000