Any user trying to connect remotely to SQL Server using SSMS would get Cannot Generate SSPI Context error. Since this was happening in a production environment, we decided to help the customer by providing him detailed information as to what was happening and how it could be fixed.
Register Service Account with Active Directory
The account on which SQL Server service is running, needs to be registered with active directory in Windows domain. In many cases, we have also seen customers enable delegation for multi-tier application. This makes it little challenging to troubleshoot.
Install Kerberos Configuration Manager to fix “Cannot Generate SSPI Context”
Kerberos authentication is a secure way to authenticate client machines with service accounts on a domain network. To resolve “Cannot Generate SSPI Context”, you will need to register the service account in your active directory.
To simplify this issue, you can download Kerberos Configuration Manager for SQL Server to troubleshoot Cannot Generate SSPI Context error. This tool is provided by Microsoft and can be freely downloaded from HERE.
After the installation of this tool, you can select Connect from the menu item to connect to a remove server by providing server name, username and password. If you are troubleshooting a local server, you don’t need to provide user/password. This tool will help identify all errors related to ‘Cannot Generate SSPI Context” for SQL Server, Analysis Services, Reporting Services or Integration Services.
In some cases, we have also observed changes to security settings have helped solve this error:
- Change security setting to Off:
- Enable Rc4_HMAC_MD5 protocol
- After making this change, restart SQL server services for the changes to take effect.
