SSPI context error
A recent head-scratcher: my team is starting to block the use of RC4 in Kerberos. We released this change to our first batch of production servers recently. A couple of old SQL servers stopped accepting connections after their patching restarts once the setting got applied. I saw stuff like this in the logs:
Network error code 0x2746 occurred while establishing a connection; the connection has been closed. This may have been caused by client or server login timeout expiration. Time spent during login: total 18 ms, enqueued 0 ms, network writes 0 ms, network reads 1 ms, establishing SSL 1 ms, network reads during SSL 0 ms, network writes during SSL 0 ms, secure calls during SSL 0 ms, enqueued during SSL 0 ms, negotiating SSPI 15 ms, network reads during SSPI 15 ms, network writes during SSPI 0 ms, secure calls during SSPI 0 ms, enqueued during SSPI 0 ms, validating login 0 ms, including user-defined login processing 0 ms.
After a little investigating, we pinned this down to a missing SPN. The instance had SPNs for the host and FQDN with port number, but not with the port number omitted (instance was running on 1433). This Microsoft tool helped: < https://www.microsoft.com/en-us/download/details.aspx?id=39046>.
In short, this was more-or-less solved by checking easily available documentation. The unanswered question for me is “why did it work before?” From where I stand, it doesn’t seem like the cipher change should interact with SPNs in this way. I suspect I’m missing a detail.