• Arun Nukula

The target principal name is incorrect. Cannot generate SSPI context

Updated: Aug 1, 2019

We recently stumbled upon an issue where database server had to be restored a date where it was working as expected after patching somehow screwed it up.


Admins were able to connect to that server which was hosting vRA's IAAS database and take a backup of it


After Server and DB was restored , IaaS service under VAMI wasn't coming back to "REGISTERED" state


When we browse to component registry , we get following exception


</serviceStatus>

<serviceStatus serviceId="5a3f7b9a-8d02-4069-b0f4-afd68679657b" serviceName="iaas-service" serviceTypeId="com.vmware.csp.iaas.blueprint.service" notAvailable="true" unregisterDenied="true">

<lastUpdated>2019-07-25T11:16:25.042+08:00</lastUpdated>

<statusEndPointUrl>https://vra-web/WAPI/api/status</statusEndPointUrl>

<serviceStatus>

<errorMessage>

Exception during remote status retrieval for url: https://vra-web/WAPI/api/status. Error Message 500 Internal Server Error.

</errorMessage>

<initialized>false</initialized>

</serviceStatus>

</serviceStatus>


We did verify ManagerService.exe.config , Web.config and [<<databasename>>].[DynamicOps.RepositoryModel].[Models] . The configuration was set correctly.


Verifying exceptions under ManagerService/All.log



[UTC:2019-07-25 07:09:01 Local:2019-07-25 15:09:01] [Error]: [sub-thread-Id="6" context="" token=""] Failed to ping the database. Details: System.Data.SqlClient.SqlException (0x80131904): The target principal name is incorrect. Cannot generate SSPI context.

at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)

at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)

at System.Data.SqlClient.TdsParser.ProcessSSPI(Int32 receivedLength)

at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)

at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)

at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)

at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)


The "Cannot generate SSPI context" error is generated when SSPI uses Kerberos authentication to delegate over TCP/IP and Kerberos authentication cannot complete the necessary operations to successfully delegate the user security token to the destination computer that is running SQL Server.


This gave us a clue that there might be a trust issue between the SQL server and the domain it's part of


Verifying Group and User memberships confirmed this to us , yea the relationship was broken. AD account login to SSMS and the server itself was broken.



As remediation task , we had to remove the node and then bring it back to the domain.


Post that AD login to SSMS and the IaaS service was immediately registered


1,078 views

Recent Posts

See All

Subscribe Now

  • Twitter
  • Facebook Social Icon

Copyright © 2019 nukescloud