SSPI handshake failed with error code 0x8009030c
我们服务器最近遇到很多 SSPI handshake failed,从SQL Server的错误日志可以看到这些错误的详细信息:
2016-02-07 12:44:22.81 Logon Error: 17806, Severity: 20, State: 14.
2016-02-07 12:44:22.81 Logon SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed [CLIENT: x.x.x.x]
2016-02-07 12:44:22.81 Logon Error: 18452, Severity: 14, State: 1.
2016-02-07 12:44:22.81 Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: x.x.x.x]
SSPI(Security Support Provider Interface)是transport-level 应用程序(比如,Microsoft Remote Procedure Call ,RPC)和安全提供程序(比如,Windows Distributed Security)之间的接口,SSPI允许传输应用程序调用安全提供程序来获取经过安全验证的连接。
在具有可信任连接的Windows 身份验证的连接字符串中,通常使用以下参数:
Integrated Security=SSPI
关于SSPI错误通常有两个:
- Cannot generate SSPI context :当客户端尝试进行Kerberos身份验证时,通常或收到此错误
- SSPI Handshake Failed:用户没有通过身份验证
在当前的问题中,我们遇到“SSPI handshake failed”,这表明SQL Server无法验证用户。
为了进一步调试错误,我们在出现问题的时候在Windows的事件查看器(Event Viewer)中查看了安全日志,
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The logon attempt failed [CLIENT: x.x.x.x]
我们从SQL Server的错误日志获得了同样的错误:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication
出现此问题的原因是:有一个Login视图通过“SQLClient”来连接SQL Server,但是因为因为没有授权,登录失败。
解决方法是授权该Login相应的权限,使其有权限访问SQL Server。
在解决SSPI Handshake Failed的错误时,需要仔细检查时间查看器的Security Log和SQL Server的错误日志,它们可以提供大量有用的信息。
参考文档: