SSPI handshake failed with error code 0x8009030c

我们服务器最近遇到很多 SSPI handshake failed,从SQL Server的错误日志可以看到这些错误的详细信息:

2016-02-07 12:44:22.81 Logon       Error: 17806, Severity: 20, State: 14.
2016-02-07 12:44:22.81 Logon       SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed   [CLIENT: x.x.x.x]
2016-02-07 12:44:22.81 Logon       Error: 18452, Severity: 14, State: 1.
2016-02-07 12:44:22.81 Logon       Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: x.x.x.x]

SSPI(Security Support Provider Interface)是transport-level 应用程序(比如,Microsoft Remote Procedure Call ,RPC)和安全提供程序(比如,Windows Distributed Security)之间的接口,SSPI允许传输应用程序调用安全提供程序来获取经过安全验证的连接。

在具有可信任连接的Windows 身份验证的连接字符串中,通常使用以下参数:

Integrated Security=SSPI

关于SSPI错误通常有两个:

  • Cannot generate SSPI context :当客户端尝试进行Kerberos身份验证时,通常或收到此错误
  • SSPI Handshake Failed:用户没有通过身份验证

在当前的问题中,我们遇到“SSPI handshake failed”,这表明SQL Server无法验证用户。

为了进一步调试错误,我们在出现问题的时候在Windows的事件查看器(Event Viewer)中查看了安全日志,

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The logon attempt failed   [CLIENT: x.x.x.x]

我们从SQL Server的错误日志获得了同样的错误:

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication

出现此问题的原因是:有一个Login视图通过“SQLClient”来连接SQL Server,但是因为因为没有授权,登录失败。

解决方法是授权该Login相应的权限,使其有权限访问SQL Server。

在解决SSPI Handshake Failed的错误时,需要仔细检查时间查看器的Security Log和SQL Server的错误日志,它们可以提供大量有用的信息。

 

 

参考文档:

Common ‘SSPI handshake failed’ errors and troubleshooting

posted @ 2020-12-04 11:10  悦光阴  阅读(1314)  评论(0编辑  收藏  举报