locked
Cannot generate SSPI context RRS feed

  • Question

  • Is it possible to connect to SQLExpress over the Internet (TCP/IP) using Windows Authentication?  I can connect using SQL Authentication but the client would rather use Windows Authentication to avoid manageing another set of user names and passwords.

    I have tried connecting with a workstation using cached credentials but I just receive an error "Cannot generate SSPI context".


    • Moved by Bob Beauchemin Thursday, October 11, 2012 3:31 PM Moving to a more appropriate forum for best results (From:.NET Framework inside SQL Server)
    Thursday, October 11, 2012 11:35 AM

Answers

  • Hi Kevin,

    Your client would need to open up 'windows' ports on their server in order to get windows auth to work. (i.e. SMB and other ports, including kerberos, etc.)

    Typically, this is the WORST possible move to do on a web facing server, it effectively puts the server 'out' on the internet. Yes, Windows Authentication IS more secure than SQL Server auth, but when you put your server 'out' like that on the internet, then you're exposing it to hackers who may stumble across it and attempt to brute-force their way on to the box. Even if they don't succeeed, they may DOS the box with all of the traffic.

    In other words, YES, you can use windows authentication on the "internet" but that requires your server to therefore be on the "internet" - i.e. it's no longer effectively behind a firewall and in your 'LAN' it's just 'out' and ready to be hacked.

    If you really need more security than what SQL Server auth provides (which can be made pretty secure using pass phrases instead of passwords (like "When will the world end, I wonder?"), then maybe look at getting a VPN.

    Best Regards,
    Iric
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by kevin gray123 Sunday, October 14, 2012 1:34 PM
    Friday, October 12, 2012 5:45 AM

All replies

  • Hi

        What do you mean by 'over internet'? Are client and server in the same domain and you are using VPN or some other way?

        This link http://support.microsoft.com/kb/811889 may help you.


    everything is a matter of probability...


    Thursday, October 11, 2012 11:51 AM
  • Are client & server in domain or you are trying to connect over VPN ?

    Check SQL server error log for login faiure error details. Share the complete login failure message.

    SSPI error can have several reasons.


    Regards,
    Rohit Garg
    (My Blog)
    This posting is provided with no warranties and confers no rights.
    Please remember to click Mark as Answerand Vote as Helpfulon posts that help you. This can be beneficial to other community members reading the thread.


    • Edited by RohitGarg Thursday, October 11, 2012 7:00 PM
    Thursday, October 11, 2012 6:58 PM
  • Hi Kevin,

    Your client would need to open up 'windows' ports on their server in order to get windows auth to work. (i.e. SMB and other ports, including kerberos, etc.)

    Typically, this is the WORST possible move to do on a web facing server, it effectively puts the server 'out' on the internet. Yes, Windows Authentication IS more secure than SQL Server auth, but when you put your server 'out' like that on the internet, then you're exposing it to hackers who may stumble across it and attempt to brute-force their way on to the box. Even if they don't succeeed, they may DOS the box with all of the traffic.

    In other words, YES, you can use windows authentication on the "internet" but that requires your server to therefore be on the "internet" - i.e. it's no longer effectively behind a firewall and in your 'LAN' it's just 'out' and ready to be hacked.

    If you really need more security than what SQL Server auth provides (which can be made pretty secure using pass phrases instead of passwords (like "When will the world end, I wonder?"), then maybe look at getting a VPN.

    Best Regards,
    Iric
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by kevin gray123 Sunday, October 14, 2012 1:34 PM
    Friday, October 12, 2012 5:45 AM