我們服務器最近遇到很多 SSPI handshake failed,從SQL Server的錯誤日志可以看到這些錯誤的詳細信息:
2016-02-07 12:44:22.81 Logon Error: 17806, Severity: 20, State: 14.
2016-02-07 12:44:22.81 Logon SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: x.x.x.x]
2016-02-07 12:44:22.81 Logon Error: 18452, Severity: 14, State: 1.
2016-02-07 12:44:22.81 Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: x.x.x.x]
SSPI(Security Support Provider Interface)是transport-level 應用程序(比如,Microsoft Remote Procedure Call ,RPC)和安全提供程序(比如,Windows Distributed Security)之間的接口,SSPI允許傳輸應用程序調用安全提供程序來獲取經過安全驗證的連接。
在具有可信任連接的Windows 身份驗證的連接字符串中,通常使用以下參數:
Integrated Security=SSPI
關於SSPI錯誤通常有兩個:
- Cannot generate SSPI context :當客戶端嘗試進行Kerberos身份驗證時,通常或收到此錯誤
- SSPI Handshake Failed:用戶沒有通過身份驗證
在當前的問題中,我們遇到“SSPI handshake failed”,這表明SQL Server無法驗證用戶。
為了進一步調試錯誤,我們在出現問題的時候在Windows的事件查看器(Event Viewer)中查看了安全日志,
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The logon attempt failed [CLIENT: x.x.x.x]
我們從SQL Server的錯誤日志獲得了同樣的錯誤:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication
出現此問題的原因是:有一個Login視圖通過“SQLClient”來連接SQL Server,但是因為因為沒有授權,登錄失敗。
解決方法是授權該Login相應的權限,使其有權限訪問SQL Server。
在解決SSPI Handshake Failed的錯誤時,需要仔細檢查時間查看器的Security Log和SQL Server的錯誤日志,它們可以提供大量有用的信息。
參考文檔: