Develop Reference

The target principal name is incorrect. Cannot generate SSPI context

I am struggling to get a SQL Server connection from machine A to machine B which is running the SQL Server.
I have Googled extensively and all the things I have found have not worked. Nor do they lead you step by step through the process of solving this.
We are not using Kerberos, but NTLM where configured.
The machines involved are (xx is used to obscure some of the machine name for security purposes):
xxPRODSVR001 - Windows Server 2012 Domain Controller
xxDEVSVR003 - Windows Server 2012 (This machine is generating the error)
xxDEVSVR002 - Windows Server 2012 (This machine is running SQL Server 2012)
The following SPN's are registered on the DC (xxPRODSVR001). I have obscured the domain with yyy for security purposes:
Registered ServicePrincipalNames for CN=xxDEVSVR002,CN=Computers,DC=yyy,DC=local:
MSSQLSvc/xxDEVSVR002.yyy.local:49298
MSSQLSvc/xxDEVSVR002.yyy.local:TFS
RestrictedKrbHost/xxDEVSVR002
RestrictedKrbHost/xxDEVSVR002.yyy.local
Hyper-V Replica Service/xxDEVSVR002
Hyper-V Replica Service/xxDEVSVR002.yyy.local
Microsoft Virtual System Migration Service/xxDEVSVR002
Microsoft Virtual System Migration Service/xxDEVSVR002.yyy.local
Microsoft Virtual Console Service/xxDEVSVR002
Microsoft Virtual Console Service/xxDEVSVR002.yyy.local
SMTPSVC/xxDEVSVR002
SMTPSVC/xxDEVSVR002.yyy.local
WSMAN/xxDEVSVR002
WSMAN/xxDEVSVR002.yyy.local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/xxDEVSVR002.yyy.local
TERMSRV/xxDEVSVR002
TERMSRV/xxDEVSVR002.yyy.local
HOST/xxDEVSVR002
HOST/xxDEVSVR002.yyy.local
Registered ServicePrincipalNames for CN=xxDEVSVR003,CN=Computers,DC=yyy,DC=local:
MSSQLSvc/xxDEVSVR003.yyy.local:1433
MSSQLSvc/xxDEVSVR003.yyy.local
Hyper-V Replica Service/xxDEVSVR003
Hyper-V Replica Service/xxDEVSVR003.yyy.local
Microsoft Virtual System Migration Service/xxDEVSVR003
Microsoft Virtual System Migration Service/xxDEVSVR003.yyy.local
Microsoft Virtual Console Service/xxDEVSVR003
Microsoft Virtual Console Service/xxDEVSVR003.yyy.local
WSMAN/xxDEVSVR003
WSMAN/xxDEVSVR003.yyy.local
TERMSRV/xxDEVSVR003
TERMSRV/xxDEVSVR003.yyy.local
RestrictedKrbHost/xxDEVSVR003
HOST/xxDEVSVR003
RestrictedKrbHost/xxDEVSVR003.yyy.local
HOST/xxDEVSVR003.yyy.local
Now if only the SQL Server error message was more descriptive and told me what principal name it was trying to connect to I might be able to diagnose this.
So can anyone step me through how to solve this one or can you see anything in what I have provided that is wrong?
I would be happy to generate more debug info, just tell me what you need.

I had this problem with an ASP.NET MVC app I was working on.
I realized I had recently changed my password, and I was able to fix it by logging out and logging back in again.

The SSPI context error definitely indicates authentication is being attempted using Kerberos.
Since Kerberos authentication SQL Server's Windows Authentication relies on Active Directory, which requires a trusted relationship between your computer and your network domain controller, you should start by validating that relationship.
You can quickly check that relationship, thru the following Powershell command Test-ComputerSecureChannel.
Test-ComputerSecureChannel -Verbose
If it returns False, you must repair your computer Active Directory secure channel, since without it no domain credencials validation is possible outside your computer.
You can repair your Computer Secure Channel, thru the following Powershell command:
Test-ComputerSecureChannel -Repair -Verbose
If the above doesn't work (because your domain credentials don't work because the machine isn't trusted) you can use NETDOM RESET instead from an elevated cmd.exe (not PowerShell) prompt:
NETDOM RESET %COMPUTERNAME% /UserO:domainAdminUserName /Password0:* /SecurePasswordPrompt
(Yes, the command-line arguments really do have an O (Capital-"Oh", not zero 0). The /Password0:* /SecurePasswordPrompt option will use a credential popup instead of having you put your password directly in the command-line, which you must never do).
Check the security event logs, if you are using kerberos you should see logon attempts with authentication package: Kerberos.
The NTLM authentication may be failing and so a kerberos authentication attempt is being made. You might also see an NTLM logon attempt failure in your security event log?
You can turn on kerberos event logging in dev to try to debug why the kerberos is failing, although it is very verbose.
Microsoft's Kerberos Configuration Manager for SQL Server may help you quickly diagnose and fix this issue.
Here is a good story to read: http://houseofbrick.com/microsoft-made-an-easy-button-for-spn-and-double-hop-issues/

I was getting the same error when trying through windows authentication. Sounds ludicrous but just in case it helps someone else: it was because my domain account got locked somehow while I was still logged in (!). Unlocking the account fixed it.

Try setting Integrated Security=true to remove this param from the connection string.
IMPORTANT: As user #Auspex commented,
Removing Integrated Security will prevent this error, because the error occurs when trying to login with your Windows credentials. Unfortunately, most of the time, you want to be able to login with your Windows credentials

I was logging into Windows 10 with a PIN instead of a password. I logged out and logged back in with my password instead and was able to get in to SQL Server via Management Studio.

Just to add another potential solution to this most ambiguous of errors The target principal name is incorrect. Cannot generate SSPI context. (.Net SqlClient Data Provider) :
Verify that the IP that is resolved when pinging the SQL Server is the same as the one in the Configuration Manager. To check, open SQL Server Configuration Manager and then go to SQL Server Network Configuration > Protocols for MSSQLServer > TCP/IP.
Make sure TCP/IP is enabled and in the IP Addresses tab, make sure that the IP that the server resolves to when pinging is the same one here. That fixed this error for me.

I just ran into this and fixed it by doing 2 things:
Granting read/write servicePrincipalName permissions to the service account using ADSI Edit, as described in https://support.microsoft.com/en-us/kb/811889
Removing the SPNs that previously existed on the SQL Server computer account (as opposed to the service account) using
setspn -D MSSQLSvc/HOSTNAME.domain.name.com:1234 HOSTNAME
where 1234 was the port number used by the instance (mine was not a default instance).

This is usually due to missing, incorrect or duplicated Service Principle Names (SPNs)
Steps to resolve:
Confirm what AD account SQL Server is using
Run the following command in Powershell or CMD in administrator mode (service account should not contain the domain)
setspn -L <ServiceAccountName> | Select-String <ServerName> | select line
Make sure the returned output contains an SPN which is fully qualified, no fully qualified, with a port and without a port.
Expected Output:
Registered ServicePrincipalNames for CN=<ServiceAccountName>,OU=CSN Service Accounts,DC=<Domain>,DC=com:
MSSQLSvc/<ServerName>.<domain>.com:1433
MSSQLSvc/<ServerName>:1433
MSSQLSvc/<ServerName>.<domain>.com
MSSQLSvc/<ServerName>
If you don't see all of the above, run the following command in PowerShell or CMD in admin mode (make sure to change the port if you don't use default 1433)
SETSPN -S MSSQLSvc/<ServerName> <Domain>\<ServiceAccountName>
SETSPN -S MSSQLSvc/<ServerName>.<Domain> <Domain>\<ServiceAccountName>
SETSPN -S MSSQLSvc/<ServerName>:1433 <Domain>\<ServiceAccountName>
SETSPN -S MSSQLSvc/<ServerName>.<Domain>:1433 <Domain>\<ServiceAccountName>
Once above is complete it normally takes a few minutes for DNS propagation
Also, if you get a message about duplicate SPNs found, you may want to delete them and recreate them

The issue seems to be a windows credentials issue. I was getting the same error on my work laptop with a VPN. I am supposedly logged in as my Domain/Username, which is what I use successfully when connecting directly but as soon as I move to a VPN with another connection I receive this error. I thought it was a DNS issue as I could ping the server but it turns out I needed to run SMSS explicitly as my user from Command prompt.
e.g
runas /netonly /user:YourDoman\YourUsername "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe"

Login to both your SQL Box and your client and type:
ipconfig /flushdns
nbtstat -R
If that doesn't work, renew your DHCP on your client machine... This work for 2 PCs in our office.

Check your clock matches between the client and server.
When I had this error intermittently, none of the above answers worked, then we found the time had drifted on some of our servers, once they were synced again the error went away. Search for w32tm or NTP to see how to automatically sync the time on Windows.

In my case, restarting SQL Server 2014 (on my development server) fixed the issue.

I had this problem when accessing the web application. It might be due to i have changed a windows password recently.
This issue got resolved when i have updated the password for the app pool where i have hosted the web application.

I was testing out IPv6 on a cluster of PC's in an isolated network and ran into this issue when I reverted back yo IPv4. I had been play in the active directory, DNS and DHCP so have no idea what I prodded to break the Kerberos setup.
I retested the connection outside of my software with this useful tip to connect remote connectivity I found.
https://blogs.msdn.microsoft.com/steverac/2010/12/13/test-remote-sql-connectivity-easily/
then after a brief search found this on the Microsoft website
https://support.microsoft.com/en-gb/help/811889/how-to-troubleshoot-the-cannot-generate-sspi-context-error-message.
run the tool on the SQL server see if there are any issue
if the status says error then hit the fix button that appears.
This resolved the problem for me.

In my situation I was trying to use Integrated Security to connect from a PC to SQL Server on another PC on a network without a domain. On both PCs, I was signing in to Windows with the same Microsoft account. I switched to a local account on both PCs and SQL Server now connects successfully.

I had the same issue, but locking, and unlocking the machine worked for me. Sometimes, firewall issues will give errors.
I am not sure it will work for you or not, just sharing my experience.

This Microsoft Tool is like Magic. Run it, connect it to the SQL server, and click Fix
The old version linked here worked on SQL server 2017.
Kerberos Configuration Manager for SQL Server
https://www.microsoft.com/en-us/download/details.aspx?id=39046

Since I landed here when looking for a solution to my own problem, I'll share my solution here, in case others land here as well.
I was connecting fine to SQL Server until my machine was moved to another office on another domain. Then, after the switch, I was getting this error regarding the target principal name. What fixed it was connecting using a fully qualified name such as: server.domain.com. And actually, once I connected to the first server that way, I could connect to other servers using just the server name (without the full qualification), but your mileage may vary.

In my Case since I was working in my development environment, someone had shut down the Domain Controller and Windows Credentials couldn't be authenticated. After turning on the Domain Controller, the error disappeared and everything worked just fine.

In case anyone is wondering, I untangled the MS terminology:
Target = (active directory) target
Active directory target = target server running the domain controller
Domain controller = server that verifies your login information
Principal name = your windows username
SSPI = security support provider interface
Security support provider interface = software interface that manages "authenticated
communications" and allows SSPs like TLS to allow SSL, among others
SSP = security support provider (SSPI implementation)
TLS/SSL = you should already know this
= Can't verify your password.

I ran into this today and wanted to share my fix, since this one is simply overlooked and easy to fix.
We manage our own rDNS and recently redid our server naming scheme. As part of that, we should have updated our rDNS and forgot to do this.
A ping turned up the correct hostname, but a ping -a returned the wrong hostname.
Easy fix: change the rDNS, do an ipconfig /flushdns, wait 30 seconds (just something I do), do another ping -a , see it resolving the correct hostname, connect ... profit.

I ran into a variant of this issue, here were the characteristics:
User was able to successfully connect to a named instance, for example, connections to Server\Instance were successful
User was unable to connect to the default instance, for example, connections to Server failed with the OP's screenshot regarding SSPI
User was unable to connect default instance with fully qualified name, for example, connections to Server.domain.com failed (timeout)
User was unable to connect IP address without named instance, for example, connections to 192.168.1.134 failed
Other users not on the domain (for example, users who VPN to the network) but using domain credentials were able to successfully connect to the default instance and IP address
So after many headaches of trying to figure out why this single user couldn't connect, here are the steps we took to fix the situation:
Take a look at the server in the SPN list using
setspn -l Server
a. In our case, it said Server.domain.com
Add an entry to the hosts file located in C:\Windows\System32\drivers\etc\hosts (run Notepad as Administrator to alter this file). The entry we added was
Server.domain.com Server
After this, we were able to successfully connect via SSMS to the default instance.

I ran into a new one for this: SQL 2012 hosted on Server 2012.
Was tasked to create a cluster for SQL AlwaysOn.
Cluster was created everyone got the SSPI message.
To fix the problems ran following command:
setspn -D MSSQLSvc/SERVER_FQNName:1433 DomainNamerunningSQLService
DomainNamerunningSQLService == the domain account I set for SQL
I needed a Domain Administrator to run the command. Only one server in the cluster had issues.
Then restarted SQL. To my surprise I was able to connect.

I was trying to connect to a VM running SQL Server 2015 from my laptop in a Visual Studio 2015 Console App. I run my app the night before and it is fine. In the morning I try to debug the app and I get this error. I tried ipconfig/flush and release + renew and a a bunch of other garbage, but in the end...
Restart your VM and restart the client. That fixed it for me. I should have known, restart works every time.

I had this problem on my sql server. I setspn -D mssqlsvc\Hostname.domainname Hostname then stoped and started my SQL server service.
I am thinking that just stopping and starting my sql service would have done it.

I have tried all the solutions here and none of them have worked yet. A workaround that is working is to Click Connect, enter the server name, select Options, Connection Properties tab. Set the "Network protocol" to "Named Pipes". This allows users to remote connect using their network credentials. I'll post an update when I get a fix.

In my case, the problem was setting up DNS on the wifi. I removed the settings, and left them empty, and worked.

Make sure that "Named Pipes" are enabled from "SQL Server Configuration Manager". This worked for me.
Open "SQL Server Configuration Manager".
Expand "SQL Server Network Configuration", from the list on the left.
Select "Protocols for [Your Instance Name]".
Right click on "Named Pipes", from the list on the right.
Select "Enable"
Restart your Instance service.

Another niche to this issue caused by network connections. I connect via windows VPN client and this issue popped up when I switched from Wifi to a wired connection. The fix for my situation was to manually adjust the adapter metric.
In powershell use Get-NetIPInterface to see all of the metric values. The lower numbers are lower cost and so they are preferred by windows. I switched the ethernet and VPN and the credentials got where they needed to be for SSMS to be happy.
To configure the Automatic Metric feature:
In Control Panel, double-click Network Connections.
Right-click a network interface, and then select Properties.
Click Internet Protocol (TCP/IP), and then select Properties.
On the General tab, select Advanced.
To specify a metric, on the IP Settings tab, select to clear the Automatic metric check box, and then enter the metric that you want in the Interface Metric field.
Source:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/automatic-metric-for-ipv4-routes

I have been unable to solve this in a satisfactory manner. If I log in from a client as a local Windows account, Windows authentication works without a glitch. If I however attempt to log in from a Microsoft account (which is preferable for me because of the synchronization features), I get the "incorrect principal" message. No record of the failed login appears in the MS-SQL logs, implying that the failure occurs very early.

No process is on the other end of the pipe (SQL Server 2012)

I've got this error:
A connection was successfully established with the server, but then an error occurred
during the login process. (provider: Shared Memory Provider, error: 0 - No process is
on the other end of the pipe.)
(Microsoft SQL Server, Error: 233)
I know, there are similar questions on this site, and the answer is, to enable TCP/IP and pipes.
But I enabled both, and still doesn't work:
I am using Microsoft SQL Server 2012 and the user has full permissions.

The server was set to Windows Authentication only by default. There isn't any notification, that the origin of the errors is that, so it's hard to figure it out. The SQL Management studio does not warn you, even if you create a user with SQL Authentication only.
So the answer is: Switch from Windows to SQL Authentication:
Right click on the server name and select properties;
Select security tab;
Enable the SQL Server and Windows Authentication mode;
Restart the SQL Server service.
You can now connect with your login/password.
Here are the directions by Microsoft: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/change-server-authentication-mode?view=sql-server-ver15

To solve this, connect to SQL Management Studio using Windows Authentication, then right-click on server node Properties->Security and enable SQL Server and Windows Authentication mode. If you're using 'sa' make sure the account is enabled. To do this open 'sa' under Logins and view Status.
If this didn't work, you may need to reinstall SQL Server

Also you can try to go to services and restart your Sql server instance

So, I had this recently also, for integrated security, It turns out that my issue was actually fairly simple to fix but mainly because I had forgotten to add "Trusted_Connection=True" to my connection string.
I know that may seem fairly obvious but it had me going for 20 minutes or so until I realised that I had copied my connection string format from connectionstrings.com and that portion of the connection string was missing.
Simple and I feel a bit daft, but it was the answer for me.

Another reason for this error could be incorrect or non-existent database name.
Forcing the TCP/IP connection (by providing 127.0.0.1 instead of localhost or .) can reveal the real reason for the error. In my case, the database name specified in connection string was incorrect.
So, here is the checklist:
Make sure Named Pipe is enabled in configuration manager (don't forget to restart the server).
Make sure the database you are connecting to exists.
Make sure SQL Server Authentication (or Mixed Mode) is enabled.

Please check this also Also check in configuration TCP/IP,Names PipeLine and shared memory enabled

If you are trying to login with SQL credentials, you can also try changing the LoginMode for SQL Server in the registry to allow both SQL Server and Windows Authentication.
Open regedit
Go to the SQL instance key (may vary depending on your instance name):
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQLServer\
Set LoginMode to 2
Restart SQL service and SQL Server Management Studio and try again.

I face this issue for the second time and all previous answers failed, fortunately the following request do the job:
Alter login [user] with CHECK_POLICY = OFF
go
Alter login [user] with CHECK_POLICY = ON
go

For me the password expired for my login user, and i got the same exception.
Then i login with Windows Authentication mode and change the password for the associated user, and it solved my problem.

Yup, this error might as well be "something failed, good luck figuring out what" - In my case it was a wrong username. SQL Server 2019 RC1.

Had this error too, the cause was simple, but not obvious: incorrect password. Not sure why I didn't get just "Login failed" from freshly installed SQL 2016 server.

I have the same proplem
"A connection was successfully established with the server, but then an error occurred
during the login process. (provider: Shared Memory Provider, error: 0 - No process is
on the other end of the pipe.)"
My connection is:
server=POS06\SQLEXPRESS; AttachDbFilename=C:...\Datas.mdf;Initial Catalog= Datas; User ID= sa; Pwd=12345; Connect Timeout=10;
But My SQL is POS06\MSQL2014
Change the connection string to
server=POS06\MSQL2014 ; AttachDbFilename=C:...\Datas.mdf;Initial Catalog= Datas; User ID= sa; Pwd=12345; Connect Timeout=10;
it worked.

Always try to log in using those credentials with SQL Management Studio. This might reveal some more details that you don't get at runtime in your code.
I had checked the SQL + Windows authentication, restarted the server but still no luck.
After trying to log in using SQL Management, I got this prompt:
Somehow the password had expired although the login was created just minutes before. Anyway, new password set, connection string updated and all's fine.

This might help others. After writing my db routines at home, all working fine. Brought it to work and got this error as well. Might assert same error, different reason. I mistyped the database name when fixing up my code. Ooohh! More coffee ;) Looking back now, kind of makes sense in my case the login/user was good (an admin account) but with a bad database name, there was nothing on the end of the pipe. Why not say "Database does not exists...? And be clear.

make sure that you have specified user in Security-> Logins, if no - add it and try again.

Follow the other answer, and if it's still not working, restart your computer to effectively restart the SQL Server service on Windows.

In my case the database was restored and it already had the user used for the connection. I had to drop the user in the database and recreate the user-mapping for the login.
Drop the user
DROP USER [MyUser]
It might fail if the user owns any schemas. Those has to assigned to dbo before dropping the user. Get the schemas owned by the user using first query below and then alter the owner of those schemas using second query (HangFire is the schema obtained from previous query).
select * from information_schema.schemata where schema_owner = 'MyUser'
ALTER AUTHORIZATION ON SCHEMA::[HangFire] TO [dbo]
Update user mapping for the user. In management studio go to Security-> Login -> Open the user -> Go to user mapping tab -> Enable the database and grant appropriate role.

In my case: Assign a sysadmin role to the user.
Login as windows authenticated user
Go to: Security->Login->Right click user->Assign server role as sysadmin

In my case, login works fine remotely, via VPN. But connecting from the server where sql server was installed, it failed.
Turns out, the instance name is not the default eg. SQLEXPRESS. Hence, it needs to be explictly specified when connecting.
Server name: .<instance_name>
eg. ".\I01"
I don't have to do this if I'm connecting remotely, just <server_hostname>,<port_number>

Login to Microsoft SQL Server Error: 18456

I am getting this error while trying to connect to the SQL Server.
Microsoft SQL Server Error: 18456
Can anybody tell me what the error code means?

If you're trying to connect using "SQL Server Authentication" then you may want to modify your server authentication:
Within the Microsoft SQL Server Management Studio in the object explorer:
Right click on the server and click Properties
Go to the Security page
Under Server authentication choose the SQL Server and Windows Authentication mode radio button
Click OK
Restart SQL Services

Check out this MSDN blog article from the data platform team.
You really need to look at the state part of the error message to find the root cause of the issue.
2, 5 = Invalid userid
6 = Attempt to use a Windows login name with SQL Authentication
7 = Login disabled and password mismatch
8 = Password mismatch
9 = Invalid password
11, 12 = Valid login but server access failure
13 = SQL Server service paused
18 = Change password required
Afterwards, Google how to fix the issue.

Before opening, right-click and choose 'Run as Administrator'. This solved the problem for me.

I have faced this issue.
Please look at the attached image,
Step 1: Go to server property
Step 2: Go to Security
Step 3: Change server authentication as SQL server and WindowsAuthenication mode
and restart your Sql server.

first see the details of the error
if "state" is "1"
Ensure the database is set for both SQL and Windows authentication under SQL server / Properties / Security.
for other state see the above answers ....

Just an update, here is the solution if anyone else has there error with a properly configured login:
If you're trying to connect using "SQL Server Authentication" then you may want to modify your server authentication:
Within the Microsoft SQL Server Management Studio in the object explorer:
Right click on the server and click Properties
Go to the Security page
Under Server authentication choose the SQL Server and Windows Authentication mode radio button
Click OK
Restart SQL Services

Check whether mixed mode authentication is enabled in you server->properties
Then create a login in the server->security
create an user for that login in your database
Then restart your server by right clicking the instance and select restart

If you change a login user credential or add new login user then after you need to log in then you will have to restart the SQL Server Service. for that
GO to--> Services
Then go to SQL Server(MSSQLSERVER) and stop and start again
Now try to log in, I hope You can.
Thanks

Just happened to me, and turned out to be different than all other cases listed here.
I happen to have two virtual servers hosted in the same cluster, each with it own IP address. The host configured one of the servers to be the SQL Server, and the other to be the Web server. However, SQL Server is installed and running on both. The host forgot to mention which of the servers is the SQL and which is the Web, so I just assumed the first is Web, second is SQL.
When I connected to the (what I thought is) SQL Server and tried to connect via SSMS, choosing Windows Authentication, I got the error mentioned in this question. After pulling lots of hairs, I went over all the setting, including SQL Server Network Configuration, Protocols for MSSQLSERVER:
Double clicking the TCP/IP gave me this:
The IP address was of the other virtual server! This finally made me realize I simply confused between the servers, and all worked well on the second server.

Right Click the User, go to properties, change the default database to master
This is the screen print of the image which shows what you have to check if you have the error 19456. Sometimes it default to a database which the user doesn't have permission

18456 Error State List
ERROR STATE ERROR DESCRIPTION
State 2 and State 5 Invalid userid
State 6 Attempt to use a Windows login name with SQL Authentication
State 7 Login disabled and password mismatch
State 8 Password mismatch
State 9 Invalid password
State 11 and State 12 Valid login but server access failure
State 13 SQL Server service paused
State 18 Change password required
Potential causes
Below is a list of reasons and some brief explanation what to do:
SQL Authentication not enabled: If you use SQL Login for the first time on SQL Server instance than very often error 18456 occurs because server might be set in Windows Authentication mode (only).
How to fix? Check this SQL Server and Windows Authentication Mode page.
Invalid userID: SQL Server is not able to find the specified UserID on the server you are trying to get. The most common cause is that this userID hasn’t been granted access on the server but this could be also a simple typo or you accidentally are trying to connect to different server (Typical if you use more than one server)
Invalid password: Wrong password or just a typo. Remember that this username can have different passwords on different servers.
less common errors: The userID might be disabled on the server. Windows login was provided for SQL Authentication (change to Windows Authentication. If you use SSMS you might have to run as different user to use this option). Password might have expired and probably several other reasons…. If you know of any other ones let me know.
18456 state 1 explanations: Usually Microsoft SQL Server will give you error state 1 which actually does not mean anything apart from that you have 18456 error. State 1 is used to hide actual state in order to protect the system, which to me makes sense. Below is a list with all different states and for more information about retrieving accurate states visit Understanding "login failed" (Error 18456) error messages in SQL Server 2005
Hope that helps

Also you can just login with windows authentication and run the following query to enable it:
ALTER LOGIN sa ENABLE ;
GO
ALTER LOGIN sa WITH PASSWORD = '<enterStrongPasswordHere>' ;
GO
Source: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/change-server-authentication-mode

First go to start bar then search local services
Then click on "view local services"
Then it will open service window then go to SQL Server(MSSQLSERVER) right click on it and click on stop and then again right click on it and click start. Now you can able to login and put your user name as 'sa' and password is your won password.

Please check to see if you are connected to the network if this is a domain member PC. Also, make sure you are not on a dual home PC as your routes may be incorrect due to network metrics. I had this issue when I could not connect to the domain the SQL windows authentication switched to the local PC account but registered it as a SQL authentication. Once I disabled my wireless adapter and rebooted, the Windows integration switched back to the domain account and authenticated fine. I had already set up Mixed mode as you had already done as well so the previous posts do not apply.

For me, it was wrong login and password.

I believe this can happen if you are trying to log in with a user that is defined in Active Directory, but attempt using "SQL Server Authentication" in the login screen. I do not know how to specify a different user with NTLM/Windows Authentication: When I click the Windows Authentication dropdown, the username and password is blanked out, and I can only log in as myself.

In my case multiple wrong attempts locked the account.To do that I had tried running the below query and it worked:
ALTER LOGIN WITH PASSWORD= UNLOCK
And make sure to set the option "Enforce Password Security" option for specific user to be unchecked by right click on Sql Server -> Properties.

SQL Server connection troubleshoot
In case you are not able to connect with SQL Authentication and you've tried the other solutions.
You may try the following:
Check connectivity
Disable Firewall.
Run PortQry on 1434 and check the answer.
Check the state
Try to connect with SSMS or sqlcmd and check the message.
State 1 is rarely documented but it just mean you don't have the right to know the true state.
Look at the log file in the directory of SQL server to know what is the state.
The State 5
What ? my login doesn't exist ? it's right there, I can see it in SSMS. How can it be ?
The most likely explanation is the most likely to be the right one.
The state of the login
Destroy, recreate it, enable it.
reset the password.
Or...
"You don't look at the right place" or "what you see is not what you think".
The Local DB and SQLEXPRESS conflict
If you connect with SSMS with Windows authentication, and your instance is named SQLEXPRESS, you are probably looking at the LocalDb and not the right server. So you just created your login on LocalDb.
When you connect through SQL Server authentication with SSMS, it will try to connect to SQLEXPRESS real server where your beloved login doesn't exist yet.
Additional note: Check in the connection parameters tab if you've not forgotten some strange connection string there.

Another worked solution for me.
serever->security->logins->new logins->General->create your user name as login name,Click sql server authentication add passwords
uncheck the password verification three checkboxes .
This will work.
Remeber to change the server properties ->Security from Server authentication to SQL Server and Windows Authentication mode

you can do in linux for mssql
change password for sa account
sudo /opt/mssql/bin/mssql-conf setup
The license terms for this product can be downloaded from
http://go.microsoft.com/fwlink/?LinkId=746388 Jump Jump
and found in /usr/share/doc/mssql-server/LICENSE.TXT.
Do you accept the license terms? [Yes/No]:yes
Setting up Microsoft SQL Server
Enter the new SQL Server system administrator password: --Enter strong password
Confirm the new SQL Server system administrator password: --Enter strong password
starting Microsoft SQL Server...
Enabling Microsoft SQL Server to run at boot...
Setup completed successfully.

I got this error after creating a new sysadmin user under my SQL instance.
My admin user was created under a specific domain
MyOrganization/useradmin
Using useradmin on a disconnected environment allows you to create other users using SQL Server authentication, but as soon as you try to login you get
Microsoft SQL Server Error: 18456
To fix the problem, try to connect again to your Organization network and create the user while you are connected and then you can get disconnected and will work.

I have faced the same issue. In case you see it, run this query:
DBCC FREEPROCCACHE
DBCC DROPCLEANBUFFERS
then it shows a 18456 error code.
Do one thing again run same query after reconnecting SQL server. It will work fine.

Click on "Options" and under "Connection Properties" specify the catalog/database name next to "Connect to database:". I got the error because this was set to <default> and I needed to specify the dbname.

Microsoft SQL Server, Error: 18456
I was getting an issue because I was entering the wrong password.
Microsoft SQL Server, Error code: 18456 - This indicates that the password is incorrect.
Reference: https://learn.microsoft.com/en-us/sql/relational-databases/errors-events/mssqlserver-18456-database-engine-error?view=sql-server-ver16

it happen with me when I have restored my computer
enable windows and sql authentication
reboot your PC
in vs code in my case still in error because i forget install pyodbc :D

Trouble Connecting to sql server Login failed. "The login is from an untrusted domain and cannot be used with Windows authentication"

I am trying to host a SQL server database, but whenever I try to connect to it I get this error:
The login is from an untrusted domain and cannot be used with Windows
authentication
I am connecting through Matlab using the following command:
conn = database('Clinical_Data','DoyleLab07\Acc','','com.microsoft.sqlserver.jdbc.SQLServerDriver','jdbc:sqlserver://DOYLELAB07\SQLEXPRESS:54287;database=Clinical_Data;integratedSecurity=true;').
Connecting to the database using matlab worked fine as long as I was using matlab on the computer which I was using to host the server. However, when I use another computer and the same Matlab command I get the error I showed above.
When I look under control panel\system. I notice that no domain is listed on my host PC or the PC I am using to connect to the host, but both computers are in the same workgroup. Would I be able to fix my problem by creating a domain and adding the foreign PC and the host to that domain? If so, how can this be accomplished?
Any suggestions will be very much appreciated.
Thank you for reading my post.

Getting rid of Integrated Security=true worked for me.

In order to use Windows Authentication one of two things needs to be true:
You are executing from the same machine as the database server.
You have an Active Directory environment and the user the application is executing under (usually the logged in user) has rights to connect to that database.
If neither of those are true you have to do one of two things:
Establish a Windows Domain Controller, connect all of the relevant machines to that controller, then fix SQL server to use domain accounts; OR,
Change SQL server to use both Windows and SQL Server accounts.
By FAR the easiest way is to change SQL Server to use both Windows and SQL server accounts. Then you just need to create a sql server user on the DB server and change your connection string to do that.
Best case option 1 will take a full day of installation and configuration. Option 2 ought to take about 5 minutes.

If your SQL Server is on one domain controller and you are trying to connect to it from another domain controller then you will get this error when
IntegratedSecurity = true;
This will happen even if you include a valid SQL Server username and password in your connection string as they will automatically be over-written with your windows login and password. Integrated security means simply - use your windows credentials for login verification to SQL Server. So, if you are logged in to a different domain controller then it will fail. In the case where you are on two different domain controllers then you have no choice but to use
IntegratedSecurity = false;
Now, when Integrated security is false SQL Server will use the SQL Server login and password provided in your connection string. For this to work, the SQL Server instance has to have its authentication mode configured to mixed mode, being, SQL Server and Windows Authentication mode.
To verify or change this setting in SQL Server you can open the SQL Server Management Studio and right-click on your server name and then select Properties. On the pop-up that appears select Security and you will see where to alter this setting if you need to.

I've had this same issue when using DNS aliases and hosts files to connect to a machine using a different domain name.
Say you have a SQL server called sql1 on mydomain.com - which is an Active Directory domain - and you also have a DNS zone for mydomain.net, and - for consistency - you set up a DNS alias (CNAME) record for database.mydomain.net --> sql1.mydomain.com
You'll be able to connect to sql1.mydomain.com using Windows integrated security, but won't be able to connect to database.mydomain.net even though it's the same server because the domain name doesn't match your AD domain.

This error message can also occur if the account you are using to access the SQL server is locked out by the domain.

I was facing the issue while connecting to SQL Always On Listener. Disabling the loop back check resolved the issue.
Edit the registry using regedit. (Start –> Run > Regedit )
Navigate to: HKLM\System\CurrentControlSet\Control\LSA
Add a DWORD value called “DisableLoopbackCheck”
Set this value to 1
https://blog.sqlauthority.com/2017/04/18/sql-server-login-failed-login-untrusted-domain-cannot-used-windows-authentication/

Why not use a SQL Server account and pass both the user name and password?
Here is the reason why.
In short, it looks like you have an authentication issue.
The problem with workgroups is there is no common Access Control List like Active Directory (AD). If you are using ODBC or JDBC, the wrong credentials are passed.
Even if you create a local windows account (LWA) on the machine (SE) that has SQL Express installed (SE\LWA), the credentials that will be passed from your client machine (CM) will be CM\LWA.

As mentioned here, you might need to disable the loopback
Loopback check can be removed by adding a registry entry as follows:
Edit the registry using regedit. (Start –> Run > Regedit )
Navigate to: HKLM\System\CurrentControlSet\Control\LSA
Add a DWORD value called “DisableLoopbackCheck” Set this value to 1

If you using windows authentication make sure that password of the user hasn't expired. An expired password can explain this error. This was the problem in my case.

Same Error with Connection String in Visual Studio dev environment
Our development database server was recently given a self-signed certificate so it automatically became untrusted. This resulted in the login error cited above. I added TrustServerCertificate=True to my connection string and it works now.
"Server=TheServerAddress; Database=TheDataBase; User Id=TheUsername; Password=ThePassword; TrustServerCertificate=True"
NOTE: This certificate configuration is not recommended for production environments.

In my case the Aliases within SQL Native Client 11.0 Configuration were pointing to invalid server/IP. Once updated it worked correctly.
To check:
1. Start "SQL Server Configuration Manager"
2. Navigate to "SQL Native Client 11.0 Configuration" and then "Aliases"
3. Ensure "Alias Name" and "Server" match correctly for TCP/IP

Following worked for me to get access from another machine to SQL Server using Windows Authentication. This approach may be useful only in development/test environment. E.g. you need to update password manually once you change it on your working machine.
On machine with SQL Server go to Control Panel and add new Windows User with same username and password as is on your working machine. Then create SQL Server login for this user:
CREATE LOGIN [SQLSERVERHOST\myuser] FROM WINDOWS;
Now you can use this login for Windows Authentication.
If you receive error 'The login is from an untrusted domain', this may mean that you changed password on your working machine and now need to update password on SQL Server machine.

Just adding my suggestion for a resolution, I had a copy of a VM server for developing and testing, I created the database on that with 'sa' having ownership on the db.
I then restored the database onto the live VM server but I was getting the same error mentioned even though the data was still returning correctly. I looked up the 'sa' user mappings and could see it wasn't mapped to the database when I tried to apply the mapping I got a another error "Fix: Cannot use the special principal ‘sa’. Microsoft SQL Server, Error: 15405". so I ran this instead
ALTER AUTHORIZATION ON DATABASE::dbname TO sa
I rechecked the user mappings and it was now assigned to my db and it fixed a lot of access issues for me.

Joining a WORKGROUP then rejoining the domain fixed this issue for me.
I got this error while using Virtual Box VM's. The issue started to happen when I moved the VM files to a new drive location or computer.
Hope this helps the VM folks.

We now use a privileged account management solution that changes our passwords regularly. I ended up receiving this error after my password was changed. Closing and re-opening SSMS with the new password resolved my issue.

I started to get this error when i tried to login to SSMS using 'windows Authentication'. This started to happen after i renamed the Windows SQL server. I tried everything to resolve this error and in my particular case changing the machine names in the 'hosts' file to reflect the name SQL server name change resolved the issue. C:\Windows\System32\Drivers\etc\hosts

I had this problem because we where using a DNS name from an old server, ponting to a new server. Using the newserver\inst1 address, worked. both newserver\inst1 and oldserver\inst1 pointed to the same IP.

Yet another thing to check:We had our nightly QA restore job stop working all of a sudden after another developer remoted into the QA server and tried to start the restore job during the middle of the day, which subsequently failed with the "untrusted domain" message. Somehow the server pointed to be the job's maintenance plan was (changed?) using the ip address, instead of the local machine's name. Upon replacing with the machine name the issue was resolved.

TLDR: Changing the DNS server to the loop back address worked for me.
I am working in VirtualBox and had setup two Windows Server 2016 instances. Server A is configure as a Domain Controller and Server B as an SQL Server. After adding Server B to the domain I cold not connect to with Management Studio from Server A. I was getting the "The login is from an untrusted domain and cannot be used with Windows authentication".
My initial configuration had the server getting its IP from the VirtualBox DHCP server.
I changed this to use static IP and entered the 127.0.0.1 address in the Primary DNS and this worked for me.
Hope this helps someone passing by.

I enabled Trust Server Certificate in the Connection Properties and it worked for me

You might find out that you have more than one connection string, and you forgot to change the other one to Integrated Security to false. It happened to me. This answer might help someone.
I was focusing on the web config and the access rights, after a long hustle i remembered that I have another connection string in one of my classes for the emails, I had to change the connection string on the class to use the web config one.

i removed Integrated Security=true and Trusted_Connection=True both of them , worked for me..

In .net Core also you may get this error if Trusted_Connection=True;
Is set. Sample setting in appsettings.json
ConnectionStrings": {
"DefaultConnection": "Server=serverName; Database=DbName; uid=userId; pwd=password; MultipleActiveResultSets=true"
},

Sometime SSMS hang and close all of sudden ,then you get below error when you reconnect to SSMS
i) The Login is From an Untrusted Domain and Cannot be Used with Windows Authentication
OR
ii) The target principal name is incorrect .Cannot generate SSPI context.
In both cases RESTART YOUR MACHINE.

I also had a similar error but then I realised I just had changed the password for my system which caused this error.
To resolve it , I simply logged out of the current session and logged in again and this time

Please Use This Connection URL It's Work Fine
"Data Source=Your IP Address;Initial Catalog = DatabaseName;User ID =sa;Password =your PassWord;TrustServerCertificate=True"
Example : "Data Source=192.168.150.122;Initial Catalog=StudentDb;User ID=sa; PassWord=123;TrustServerCertificate=True"

If you have two servers on the same domain (eg. APP and DB), you can also use Windows Authentication between the app and MSSQL by setting up local users on both machines that match (same username and password). If you don't have the passwords matched up, it can throw this error.

Following was working for me. hope this helps you
<add name="getconn" connectionString="Data Source=servername;Initial Catalog=DBName;Persist Security Info=True;User ID=sa;Password=***" />

SQL Server 2008 Windows Auth Login Error: The login is from an untrusted domain

When attempting to connect to a SQL Server 2008 Instance using Management Studio, I get the following error:
Login failed. The login is from an
untrusted domain and cannot be used
with Windows authentication.
(Microsoft SQL Server, Error: 18452)
I can login using SQL Authentication without problem. I've been getting this error all of a sudden. I have Mixed Mode Authentication turned on.
Does anyone have any experience with this?
Additional Info:
64-bit version of SQL
Enterprise Edition
On Windows 2003 Server

Another reason this might happen (just happened to me) ... is the user's password expires. I didn't realize this until I tried to remote into the actual server and was prompted to change my password.

For me, this happened when I edited a blank drivers/etc/hosts file, and added an entry for a local website, but neglected to add 127.0.0.1 localhost

The issue was caused by a down Active Directory Server, which of course could not authenticate the Windows account. Thank you for your assistance.

For anyone else who runs into this, I had this in my hosts file:
127.0.0.1 localhost
127.0.0.1 customname
and I needed it to be this:
127.0.0.1 localhost
127.0.0.1 localhost customname

"The issue was caused by a down Active Directory Server, which of course could not authenticate the Windows account"
It is not "of course - because if AD is not available then Kerberos authentication falls back to NTLM (domain account credentials are cached locally, one can login with it even if AD/Kerberos is not available). I guess that you have possibly 2 simultaneous conditions for this failure to happen:
SQL Server is not local (on another machine)
The trust is configured "Kerberos only"
or other specific security network/server/AD/machine configurations

Make sure you aren't connected to a VPN on another domain\user. Or, conversely, make sure you are connected, if that is what is required.

I had this issue for a server instance on my local machine and found that it was because I was pointing to 127.0.0.1 with something other than "localhost" in my hosts file. There are two ways to fix this issue in my case:
Clear the offending entry pointing to 127.0.0.1 in the hosts file
use "localhost" instead of the other name that in the hosts file that points to 127.0.0.1
*This only worked for me when I was running the sql server instance on my local box and attempting to access it from the same machine.

There is a setting on the jTDS driver called USENTLMV2 that is set to false by default. Setting this to 'true' in my db software (DBVisualizer) solved it.

I fixed this issue on machine disabling the loopback check setting:
Edit the Windows registry: Start –> Run > Regedit
Navigate to: HKLM\System\CurrentControlSet\Control\LSA
Add a DWORD value called “DisableLoopbackCheck”
Set this value to 1

try using a different valid login using RUNAS command
runas /user:domain\user “C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\ssmsee.exe”
runas /user:domain\user “C:\WINDOWS\system32\mmc.exe /s \”C:\Program Files\Microsoft SQL Server\80\Tools\BINN\SQL Server Enterprise Manager.MSC\”"
runas /user:domain\user isqlw

For me, it was because i did not add the account to have roles I wanted to use to the SQL Database itself. And also due to a bad password attempts via copy paste problem locking account.

Okay, completely out there answer from me. I was getting this error from a development environment hosted on VM VirtualBox. Three servers; SharePoint, SQL DB and Domain Controller. The SharePoint server couldn't connect to the configuration database. I could still connect via ODBC for Sql authentication using SA account but not Windows authentication. But that user would happily log into SSMS on the sql server itself. I got a better error message from ODBC too and also by checking the failed login messages on sql server:
select text from sys.messages where message_id = '18452' and language_id = 1033
Can't take credit for this because I asked one of our Enterprise Systems Administrators for help and he diagnosed it in about 5 minutes of looking at a few screen shots I sent him. Problem was that the Domain Controller’s clock was set incorrectly! Couldn't believe it. The servers are setup for Host Only networking so don't have internet to sync the clock with. That also explains why rolling back to an earlier snapshot when I know the system was working didn't solve the problem.
Edit: Installing the Guest Additions on the server syncs the guest clock with the host.

Another scenario where you might see this is when you are attempting to connect to another SQL server from an SSMS session that was already logged-in while you changed your password. Sequence of events might go something like:
RDP to Server-A (your SQL Server), open SSMS and login
RDP to Server-B in the same domain and change your password
Return to RDP session on Server-A and via SSMS attempt to add another DB into an existing AlwaysOn availability group. When connecting to replicas you get "untrusted domain"-login-error
To resolve, simply logoff and log back in

You may be misleaded about the username you use locally. That was my case in Windows 10 Home. When I look at users in control panel, I see the name usrpc01. However when I type net config workstation, it appears that the user's name is spc01. Seems like someone renamed the user, but the internal name remained unchanged.
Not knowing how to fix windows user name (and the folder name under C:\Users, which also refers to the original internal name), I added a new user accout on my db server.

I have been trying to log into a SQL Server 2008 from a domain account. The SQL Server 2008 is hosted on a different workgroup computer that is not part of the domain. As strange as it sounds, on the workgroup server where SQL Server 2008 is running, I had to go to System Properties | Computer Name (tab) | Change (button) | Computer Name Change | More... (button) and enter the "Primary DNS suffix of this computer" (it was blank, so enter the desired suffix for your network) and check the "Change primary DNS suffix when domain membership changes" box. This allowed the Windows Authentication process to complete when logging into the SQL Server 2008.

I had to use netonly to get this to work on modern Windows:
runas /netonly /user:domain\user "C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\ssms.exe"

Another reason>
someone changed the password for the default SQL user
this happened to me a couple of minutes ago by switching to a new domain controller ...

I had wrong entry in hosts file under C:\Windows\System32\drivers\etc
[Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
Make sure to have entry like below
127.0.0.1 localhost
127.0.0.1 localhost servername

I was using an alias for an SQL Server instance that pointed to "127.0.0.1".
Changing it to "localhost" instead did the trick.

If your Sql Server is running on a server that's is not part of a domain and in the connection string you use a fully qualifed domain name (e.g. xyz.mypc.com) with Integrated Security=True, you might have to switch to using either the IP address, MachineName (SERVER01), or the dot (.) in case it's locally hosted.
This worked for me, using the fqdn resulted in the above error.

in order to enable windows authentication both computers need to be in the same domain. in order to allow managment studios to pass the current credentials and authenticate in the sql box

For me, I have to disconnect (change workgroup/domain) from the Domain and reconnect.

And another possible reason:
The new created local Account on DB Server had the: "User must change Password at next Login" Flag set.

Here's what fixed it for me:
Properties of network connection
Click on: "Internet Protocol Version 4 (TCT/IPv4)".
Click "Properties" button.
Click "Advanced" button.
Select "DNS" tab.
Delete text in "DNS suffix for this connection".

I wasn't able to remotely connect to the SQL server either. Both SQL server and remote server where in the same domain. And I had been requested a password change some days before.
Restarting both the SQL server and the remote server I was trying to access SQL server from did the trick for me.

In our case it was the fact that the developer was running the application pool under his own account, and had reset his password but forgot to change it on the application pool. Duh...

In my case, the server had been disabled in the domain controller. I went into the COMPUTERS OU in Active directory, right-clicked on the server,enabled it, then did a gpupdate /force from the SQL server. It took a moment, but it finally worked.

In my case, in the host file, the machine name is hard coded with older IP.
I replace the older IP with the new one, the issue is resolved.
Host file location
WindowsDrive:\Windows\System32\drivers\etc\hosts
Modifications done
159.xx.xx.xxx MachineName

None of the above worked for me. What I had to do was:
In SQL Server Management Studio on the login screen, select Options >>
In the Network section change the Network protocol to Named Pipes.
Also, what I had to do to make it work with the <default> setting was to disable the wireless network (the machine was also connected to the wired lan).

My fix was to change the web.config file to correlate with my new server name for SQL Connection (IT Security had just done a netdom rename on my development box.