Wednesday, December 7, 2011

Cannot generate SSPI context

It`s quite common (here in Norway) that some local hero have installed the Windows Server when the organization/company is really small (1-5 employees).
The thing I want to address is that when they do this, they normally install the Active Directory Domain Services role – along with DNS server.

What about the DHCP role?

Nope. They already got some internet connection delivered by their ISP, so the clients are already connected to the internet.

Brilliant, right?

For all the other natural causes that I could use as arguments against this setup, I`d rather want to mention a common error message that appear when they run their LOB applications that uses Microsoft SQL server for their databases.

“Cannot generate SSPI context”

This error message occurs on clients attempting to connect to a SQL Server on the network.

And this message is purely related to DNS.

When you have an Active Directory domain and the clients are using the “wrong” DNS, which in these cases is the router/firewall (default gateway) or an external DNS, they cannot use name lookups to verify the server name.
In short, the DNS server from their ISP have very little knowledge of the server who is responsible for their databases on their local area network.
Conclusion: If you`re running an Active Directory domain, whether you have one employee or 15, please use your internal DNS server so that name lookups and other AD-related stuff may occur.  

No comments: