There are three different ways to solve this issue.
Register SPN
A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication.
setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>
Verify Domain user account
setspn -l <Domain\Account>
Example:
setspn -A MSSQLSvc/computerName.cloud.s1au.org:1433 cloud\admin
https://technet.microsoft.com/en-in/library/bb735885.aspx
Delegation
- Register SPN
- Delegation
- If this error occur in visual studio or after hosted in IIS, IIS setting
Register SPN
A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication.
setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>
Verify Domain user account
setspn -l <Domain\Account>
Example:
setspn -A MSSQLSvc/computerName.cloud.s1au.org:1433 cloud\admin
https://technet.microsoft.com/en-in/library/bb735885.aspx
Delegation
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- Expand domain, and then expand the Computers folder.
- In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
- Click to select Trust this computer for delegation to specified services only.
- Ensure that Use Kerberos only is selected, and then click OK.
- Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the Microsoft SQL server that has the App-V data store and is to receive the users credentials from IIS. Click OK.
- In the Available Services list, select the MSSQLSvc service that lists port number on which the Microsoft SQL Server is accepting connections for the App-V database (the default port is 1433). Click OK.
- And In the Users folder, right-click the user account, and then click Properties.
- In the user account properties dialog box, click the Account tab.
- Under Account Options, click to select the Account is Trusted for Delegation check box. Make sure that the Account is sensitive and cannot be delegated check box is cleared for this account.
Note The 'Account is trusted for delegation' right is required for the SQL Server service account only when you are delegating credentials from the target SQL server to a remote SQL server such as in a double hop scenario like distributed queries (linked server queries) that use Windows authentication.
If this error occur in visual studio or after hosted in IIS, IIS setting
- Check your application pool identity user account has rights to database. If not, create it.