Local security subsystem errors in SQL Server
This article helps you resolve a consistent authentication issue when connecting to SQL Server that's related to an unresponsive Local Security Authority Subsystem Service (LSASS).
Symptoms
You might experience security subsystem issues related to LSASS. The Windows authentication driver might show the "The login is from an untrusted domain and can't be used with Windows authentication" error message.
Check whether the Microsoft SQL Server error log shows the following entries:
SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
SSPI handshake failed with error code 0x80090304, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
You might also see Kerberos errors in the system event log on the server that's running SQL Server during the same time range. The error code that follows indicates:
Error - 2146893039 (0x80090311): No authority could be contacted for authentication.
Cause
These errors occur when the LSASS stops responding.
Resolution
To resolve the LSASS errors, follow these steps:
Check whether your Service Principal Name (SPN) is registered correctly on the domain controller (DC).
Use the
setspn -Qorsetspn -Lcommand to query your SPN and SPNs, respectively, in your account.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for