Skip to content

Latest commit

 

History

History
43 lines (26 loc) · 2.16 KB

local-security-subsystem-errors.md

File metadata and controls

43 lines (26 loc) · 2.16 KB
title description ms.date author ms.author ms.reviewer ms.custom
Errors in the local security subsystem in SQL Server
This article addresses SQL Server consistent authentication issues related to the local security subsystem.
03/26/2024
Malcolm-Stewart
mastewa
jopilov, haiyingyu, prmadhes, v-jayaramanp
sap:Database Connectivity and Authentication

Local security subsystem errors in SQL Server

This article helps you resolve a consistent authentication issue when connecting to SQL Server that's related to an unresponsive Local Security Authority Subsystem Service (LSASS).

Symptoms

You might experience security subsystem issues related to LSASS. The Windows authentication driver might show the "The login is from an untrusted domain and can't be used with Windows authentication" error message.

Check whether the Microsoft SQL Server error log shows the following entries:

SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.

SSPI handshake failed with error code 0x80090304, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.

You might also see Kerberos errors in the system event log on the server that's running SQL Server during the same time range. The error code that follows indicates:

Error - 2146893039 (0x80090311): No authority could be contacted for authentication.

Cause

These errors occur when the LSASS stops responding.

Resolution

To resolve the LSASS errors, follow these steps:

  1. Check whether your Service Principal Name (SPN) is registered correctly on the domain controller (DC).

  2. Use the setspn -Q or setspn -L command to query your SPN and SPNs, respectively, in your account.

More information

Consistent authentication issues in SQL Server