The target principal name is incorrect. Cannot generate SSPI context. (.Net SqlClient Data Provider) RRS feed

  • Question

  • Dear All,

    We were encountering issue that we cannot connect remotely to the SQL server hosted in 

    another location but a trusted domain. The configuration are as follows

    Current Production Setup:

    Server A

    Location: Cloud

    Hostname: MYSQLPRD

    Domain: domain.local

    IP Address:

    SQL Service Account: domain\servicesql

    Server B

    Location: <onprem two-way trusted domain>

    Hostname: THEMSQL02

    Domain: ra.themdomain.com

    IP Address:,49414

    SQL Service Account: themdomain\serviceaccount

    Issue: When launching a SQL Management studio from Server B to connect remotely to Server A is successful. While connecting from Server A to Server B is not successful.

    The error is “The target principal name is incorrect. Cannot generate SSPI context (Microsoft SQL server)” 

    Initial Assessment

    The domain trust will not be regarded as an issue since domain trust is both two ways. The error “Cannot generate SSPI context” is generated when it is not able to complete the necessary authentication.

    Server A SQL service is running on domain\servicesql while Server B SQL service is running on themdomain\serviceaccount

    which is authenticating in two different domains.

    In trying to connect remotely using either account will only be successful if the server and the account resides in the same domain.

    Question: How to resolve this issue using the service account in  each domain. Each of those account has been provided the sa permission in each SQL server.

    Note: Also I can telnet in either direction using the SQL port configured.

    • Edited by TotoyBeebo Monday, August 21, 2017 11:41 PM
    Monday, August 21, 2017 11:35 PM

All replies

  • I have gone through this step


    But still not sucessfull

    Tuesday, August 22, 2017 12:04 AM
  • Hi TotoyBeebo,

    Please correct me if I’m wrong:

    >>I have gone through this step ….. But still not successful

    Does that mean you have verified DNS resolution(ping and ping -a) and SPN registration/duplication and they are all good? If so, I’d suggest you enable Kerberos logging on the client machine first see if you could see any Kerberos related errors in System log. 

    If you have any other questions, please let me know.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, August 22, 2017 5:14 AM
  • Hi Lin,

    Here is the error after enabling the logging

    A Kerberos error message was received:
     on logon session domain\servicesql
     Client Time: 
     Server Time: <removed>
     Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
     Extended Error: 
     Client Realm: 
     Client Name: 
     Server Realm: domain
     Server Name: krbtgt/domain
     Target Name: krbtgt/domain@domain
     Error Text: 
     File: e
     Line: d3f
     Error Data is in record data.

    Any thoughts?



    Wednesday, August 23, 2017 1:29 AM
  • Is that possible the account  is locked?

    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance
    SQL Server Integration Services: Business Intelligence

    Tuesday, August 29, 2017 5:13 AM