Knowledge Base Article: Error Numbers: 3709, 3704, 91, -2147467259 due to Network & SQL Server Connection Errors.

Error Numbers: 3709, 3704, 91, -2147467259 due to Network & SQL Server Connection Errors.

Networking:2

Error 3709 3704 91 -2147467259 Network SQL Server Connection Errors SSPI Kerberos Windows Integrated

HelpMaster > Database > Connection Issues

Database

4/13/2012 10:12:38 AM

4/5/2017 6:01:50 PM

Average Rating (from {{model.ratings}} ratings)
0 Attachments
0 See Also Links

Applies to

HelpMaster (All versions)

Overview

Occasionally due to network congestion or network/SQL Server connection failures one of the above errors may occur. HelpMaster Pro Enterprise Edition may then continually repeat a series of these errors until it is shut down and re-started. If you check your System Event Log you may also find the following two entries;

 

[image]

 

Details of these two events are as follows;

 

[image][image]

 

This is an issue with SSPI Kerberos authentication (Windows NT Integrated Authentication) over the TCP/IP transport protocol between the Client machine running HelpMaster Pro and the SQL Server. It occurs after a connection interruption between the two thus initiating an authentication downgrade which is not possible to establish if the SQL Server service is running using any other user account apart from the System account on the SQL Server. That’s because the non-system user account doesn’t have permission to reset or re-create the "Service Principle Name" (SPN) container.

 

Resolution

Any one, or a combination, of the following options should overcome this Microsoft security “feature”;

 

  1. Change the network transport protocol from TCP/IP to another network transport protocol.

  2. The SQL Server database connection authentication can be changed from Windows NT Integrated to SQL Login authentication, and thus the SSPI context will not be used.

  3. The SQL Server service can be reset to use the local “System” account and thus permissions will be in place to reset the SPN.

  4. For security reasons step 3 above may not be an option, therefore when Windows NT Integrated Authentication is required over TCP/IP, AND the SQL Server service must run under an account other than the System account, an SPN container must be manually created using Microsoft’s “setSPN.exe” utility. This utility is available for download from Microsoft as part of the “Windows Support Tools” set.

 

Further Information

 

Detailed information regarding this issue can be found in the following Microsoft Knowledge Base article

http://support.microsoft.com/?id=811889 .

 

The “setspn.exe” utility for Windows 2000 Server can be downloaded from Microsoft here

http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en&Hash=99NFGL8 .

 

The “setspn.exe” utility for Windows 2003 Server can be found on the installation CD. Instructions for accessing this tool and the other support tools from the CD can be found here

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/suptools_overview.asp .

 

Syntax for use of the “setspn.exe” command line utility can be found here

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_security_2gmm.asp .