Sql-server – The SQL Server Network Interface library could not register the Service Principal Name (SPN)

sql serversql server 2014

Windows return code: 0x21c7, state: 15. Failure to register a SPN
might cause integrated authentication to use NTLM instead of Kerberos.
This is an informational message. Further action is only required if
Kerberos authentication is required by authentication policies and if
the SPN has not been manually registered.

I am getting above error whenever I restart my SQL service. I changed it from current service account to local account and was able to connect to SSMS from local machine, but if I am using current service account then this error is coming and in SSMS the error is :

The target principal name is incorrect. Cannot generate SSPI context.

The password is not changed for this service account.

Best Answer

You specifically get error "0x21c7, state: 15" when an attempt is made to register the SPN which already exists, but possibly under different account.

When you run SQL Service under local system account, an SPN is registered under the Computer Object in AD. You can confirm from below:

setspn -l ComputerName

In above results, If you see any SPNs for MSSQLSvc then they need to be dropped with below commands on AD (You need to have Domain Admin permissions for this) so that you can then register SPN under new Service account:

setspn -d MSSQLSvc/FQDN:XXXXXXXXXX ComputerName

Once the above is done, restart SQL Service under the Service Account adn it should successfully register the SPN under the new Service account and you will be able to confirm by running the below command:

setspn -l DomainName\LoginName

Reference: http://www.b-blog.info/en/changing-service-account-for-ms-sql-server-2012-and-the-following-issues.html

You could also use Microsoft Kerberos Configuration Manager for SQL Server to automatically detect and fix such SPN Issues:

https://blogs.msdn.microsoft.com/farukcelik/2013/05/21/new-tool-microsoft-kerberos-configuration-manager-for-sql-server-is-ready-to-resolve-your-kerberosconnectivity-issues/

Related Solutions

Sql-server – The SQL Server Network Interface library could not deregister the Service Principal Name

I ran in to same issue and I wander for about hours to fix it, finally I ended up repairing the existing database server 2016.

download SQL Server Installation setup package from this link: SQL Server 2016_x64_ENU Go to setup.exe >> Maintenance >> Repair

While repairing, error prompted saying it could not restart the servers, yu can cancel that and let the repair finish. Once finished, start the SQL Servers

Right click on start and go to Computer Management >> Services and Applications >> SQL Server Configuration Manager >> SQL Server Services >> right click on all the servers and hit on start.

This fixed my issue and was back on track. I am still looking for a better answer on why or what can cause that but for now, here's the fix!

Good luck guys!

Sql-server – Cannot register SPN, error 0x80090350, state 4

The error message you're seeing, 0x80090350, is defined as:

c:\util\Err>err 0x80090350

# for hex 0x80090350 / decimal -2146892976 :
  SEC_E_DOWNGRADE_DETECTED                                        winerror.h
# The system detected a possible attempt to compromise
# security.  Please ensure that you can contact the server
# that authenticated you.
# 1 matches found for "0x80090350"

I'm looking this up with the Exchange Error Lookup Tool.

According to the information in this post, this error is often caused by the MaxTokenSize issue caused by an account (indirectly or directly) being a member of a large number of groups.

Another possibility I'd consider is that a duplicate SPN exists. You can determine which SPNs Windows thinks are duplicates by running setspn -X -F (info here).

Best Answer

Related Solutions

Sql-server – The SQL Server Network Interface library could not deregister the Service Principal Name

Sql-server – Cannot register SPN, error 0x80090350, state 4

Related Question