This artical also published in English: http://www.cnblogs.com/LarryAtCNBlog/p/4153295.html
2015-04-20 update, find another case for SQL server authentication.
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. [CLIENT: xx.xx.xx.xx].
This case find out is SQL server agent using its own instance name to do authentication, by defaut when receiving NTLM request windows will verify OS name and access name, if they are different, the handshake will fail. The behavior is to avoid some sort of network attack, to disable it we just need to tell LSA service to ignore name loop back check.
https://support.microsoft.com/en-us/kb/896861
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Value: DisableLoopbackCheck Data type: DWORD Data: 1
什麼是HP SIM?文章裏所說的SIM指的是Systems Insight Manager,是HP公司給自家的服務器製作的一箇中心管理Web,界面如下。
基本作用就是探測網絡裏的HP服務器,當server down掉或者有硬件問題的時候可以給出告警。
就是這貨出了問題,突然訪問不了,但是後臺SIM service依然是運行着的。eventlog裏出現如下錯誤,
com.hp.mx.database.DbVerificationException: Error loading database verification handler 'com.hp.mx.database.MsSqlVerificationHandler'
com.hp.mx.database.DbVerificationException: Error accessing database
SSPI handshake failed with error code 0x80090302, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. [CLIENT: xxxxxxx].
錯誤截圖如下,
MSSQLSERVER用studio之類的連接都是正常的,ODBC也試過正常,端口正常監聽1433,但就是SIM連接不上,最後在如下鏈接找到了答案,
http://h20564.www2.hp.com/hpsc/doc/public/display?docId=mmr_kc-0114705
跟據knowledge base裏的內容,可以確定是SIM會用非NTLMv2的LM或者NTLM來做windows的驗證,只要在SQL連接字符串中加入useNTLMv2=true即可解決該問題。
那怎麼突然就有問題了呢?平時也不會有人動SIM這種server,於是用rsop.msc查看NTLM的相關策略,因爲向下兼容這種事應該沒人會去改動的。
explain裏的default如下,
Windows 2000 and windows XP: send LM & NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
一般來說驗證都是服務器之間會協商一下大家用什麼版本的協議,握個手後再通信,但是group policy卻改成了"Refuse LM & NTLM",而SIM調用MSSQL連接字符串默認用的可能是LM或NTLM,於是導致了協議錯誤。