Explicit misplaced SPN problem in SQL Server
This article helps you resolve a SQL Server consistent authentication problem that affects the explicit misplaced Service Principal Name (SPN).
Symptoms
If the SPN that you specify in the connection string exists on a service account that's not used by Microsoft SQL Server, you receive a Security Support Provider Interface (SSPI) context error message.
If the SPN isn't registered correctly, you might receive the following error message:
The target principal name is incorrect. Cannot generate SSPI context.
If you try to create an SPN that already exists, you receive the following error message:
Duplicate SPN found, aborting operation!
Cause
The explicit misplaced SPNs can cause issues in Kerberos authentication and prevent clients from connecting to the service.
Resolution
If you are experiencing explicit misplaced SPNs, you might have to create or re-create the SPN for the service. To create or re-create the SPN by using the SETSPN command, follow these steps:
- Run the
SETSPN -L domain\svcacctcommand to list SPNs on the SQL Server service account. - Run the
SETSPN -Q spnNamecommand to learn which service account the SPN is registered on. - Run the
SETSPN -Dcommand to remove the SPN from the service. - Run the
SETSPN -Acommand to add the SPN to the service. - Move the SPN by using
SETSPN -D, or select an SPN that already exists in the correct account.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for