I'm dealing with a frustrating issue connecting to an MSSQL server from a web server, both running on Windows 2025. The error I keep getting is "login is from an untrusted domain," even though both servers are on the same domain. I've checked firewall settings, confirmed that I can connect from other servers using my credentials, and verified the SPNs for the MSSQL service, which seem to be correctly configured. The SQL service runs as a gMSA, which has worked fine on other servers. I'm really stuck here—any advice on what to check or try next would be appreciated!
2 Answers
Have you tried running the command `setspn -L SERVERNAME` to check the registered SPNs for your server? It's crucial to ensure that the account running the MSSQL service has an SPN assigned. If it's a gMSA, it should already have the right SPNs set. You could try adding SPNs manually with `setspn -S MSSQLSvc/sql01.domain.com:1433 DOMAINservername$` and `setspn -S MSSQLSvc/sql01.domain.com DOMAINservername$`. Also, double-check if it's a default instance or named instance, as that affects what SPNs are needed.
That’s a bummer. Just be aware that if it’s a named instance, you might need additional SPNs specific to that instance. It can get a bit tricky!
Just a thought, do you happen to have a 2025 Domain Controller? I’ve heard about some compatibility issues with that version which might affect authentication.
Yes, there is a 2025 DC in the mix. I've heard similar things, and we’re supposed to be upgrading soon to resolve these kinds of issues. It'll be interesting to see if it helps!
Thanks for the tips! The gMSA account is indeed correctly running the MSSQLsvc, and the SPNs you mentioned are registered. The domain admin had to register them since I don't have permission to do that myself. Fingers crossed, I find something that helps with this issue!