The target principal name is incorrect. Cannot generate SSPI context.

SQL Server 2014 Enterprise Edition

Recently ran into this problem when changing to a domain account for the SQL Server database engine service from a local system account.  After the change while I could still connect to my instance from the same host, attempts to connect from a remote client invariably failed with the error message in the subject

“The target principal name is incorrect. Cannot generate SSPI context.”

After reading up on Kerberos and NTLM authentication in SQL Server I eventually determined the issue was incorrect SPN (Service Principal Name).

Note that below MYSQLSERVER is the name of the SQL Server host, and MYSQLSERVER_SVC is the domain service account.  As mentioned earlier, originally I was using a local system account to start the database engine, leading to the SPNs being registered to the server itself.  When I switched over to a domain user that didn’t have the permissions to read or write SPNs it was unable to use Kerberos to authenticate AND was unable to drop down to NTLM (drop down to NTLM security is only possible if NO matching SPN found, but in this case it had found a matching SPN but that SPN was associated to the system itself).



As seen below,



are associated with MYSQLSERVER (the system)  and that no SPNs are associated with MYSQLSERVER_SVC (the domain account)

With the setup above, as noted, I would get the error message in the subject line whenever I tried to connect from anything other than the system running SQL Server.

To resolve I deleted the SPNs from the system and added them to the service account.


Delete the SPNs from the system object in AD


Add the SPNs to the domain service account


And voila!

Once this was done I restarted SQL Server and was able to connect successfully.



Great pair of links explaining the issue and a little about NTLM/Kerberos:

Microsoft 411


Enabling PHP/Oracle connectivity on RedHat with WebTatic

Download rpms for Oracle instantclient basic AND instantclient devel

1) Install libaio (required dependency for the instant client installation)

yum install libaio

2) Install the instant client rpms

rpm -ivh instantclient-basic.rpm

rpm -ivh instantclient-devel.rpm

3) Install pear and devel (gives us access to pecl)

rum install php55w-pear

yum install php55w-devel

4) Install oci8 (the oracle driver)

pecl install oci8

5) Add the extension to the php.ini file so that it is available

vi /etc/php.ini (add

6) Restart httpd to pick up the changes

service httpd restart


A couple quick useful commands:

httpd -M (list modules)
php -m (list modules)
php -n -m (list modules but don’t parse any additional extension files)

Pycharm show test result statistics (Passed/Failed)

An incredibly trivial issue that I’m posting here just as a reminder, as it cost me about an hour of frustration.

New to Pycharm and running tests I noticed that I didn’t appear to have the right-most panel (the Statistics Pane) as in all the examples I had seen:


Took me forever to finally find the option to enable statistics by clicking on the blue gear, mostly because I had no idea what the panel was even called until I reviewed the PyCharm docs.


ORA-00980: synonym translation is no longer valid

Recently ran into an issue where a query, which worked when run directly, failed with the above error when placed in a PL/SQL procedure.

The set up was basically:

Server A:


SCHEMA2: No objects, but select on SCHEMA1.TABLE1

Public synonym TABLE1 for SCHEMA1.TABLE1

Server B:

DBLINK1: Public DB Link to Server A using SCHEMA2 credentials


PROCEDURE1: contained a select against SYNONYM2

So when we would query SYNONYM2, it would resolve to TABLE1@DBLINK1, which in turn (using the remote public synonym TABLE1->SCHEMA1->TABLE1) would resolve to SCHEMA1.TABLE1@DBLINK1.

This worked fine in a query outside of PL/SQL, but once added to a procedure we would get the ORA-00980: synonym translation is no longer valid error.  After some digging found that this is a known issue – [ID 453754.1].  Basically this simply will not work, it sounds more or less like yet another limitation of PL/SQL – you cannot query a synonym which in turn queries another synonym across a DB link.  Instead, you must fully qualify the second synonym (so in our case, instead of creating the local synonym as SYNONYM2 for TABLE1@DBLINK1 we created SYNONYM2 for SCHEMA1.TABLE1@DBLINK1).

Naturally, although this issue has been around forever, Oracle claims it is ‘not a bug’.

The case of the mysterious

Just  quick note about a problem I ran into recently.  A previously healthy PHP application suddenly started failing with the following error:

However, nothing had changed on either the application or database side.  The DB was up and healthy, and the connection string from the php application appeared correct.  Checking tnsping on the client, I realized that for some reason the DB service name (ORCL.WORLD) was no longer resolving to the DBServer1 host, but instead was resolving to IP

While I was familiar with the conventional loopback address, 53.53 was not something I’d seen before.  A bit of investigation led to this:

But why did this cause my app to fail?  The culprit was my sqlnet.ora, which listed

What happened was previously, when Oracle attempted to resolve ORCL.WORLD it would first invoke EZConnect, receiving an NXDOMAIN (not a domain) as a response – because of this failure it would then utilize the tnsnames file and correctly resolve the address.  However, now when using EZConnect Oracle receives a response ( and, thinking that it has located the server, attempts to connect.

Swapping EZCONNECT and TNSNAMES (so that TNSNAMES is queried first) resolved the issue.

Executing Oracle functions and procedures in SQLPlus and PL/SQL

Just a quick TIL to reinforce my memory on this point.

I often come across code snippets online which take the form

Usually my first reaction to this is one of confusion – why is there a colon before test (is it a bind variable?) – why do I need to set test equal to a value if I don’t intend to use it?  Furthermore, if I attempt just

I get errors stating that the wrong number of parameters were used – which always strikes me as odd, given that it has the exact same parameters as the first example (which runs successfully).


Some notes:

  • In this case DBMS_SPM.LOAD_CURSOR_FROM_CACHE is a function (not a stored procedure) – for functions, you must either call the function like
    • select function(arguments) from dual
    • provide a variable to catch the returned value

in SQLPlus

using anonymous PL/SQL block

Note that stored procedures do not require a variable to catch a return.

EM 12c – find a user / schema in all databases

When deprovisioning users (for reasons of employment termination, consulting engagement completion, etc.) we must often lock or completely remove user accounts in potentially numerous databases.

If these databases are tracked within Enterprise Manager Cloud Control 12c, there is a fairly handy view that drastically improves this process, namely the SYSMAN.MGMT$DB_USERS view in your Grid Repository database



Oracle user privileges on directory

Keep on forgetting this fact, so I’m committing it to the internet’s memory (as mine is suspect).

To view user privileges on a directory, use the dba_tab_privs view.  As this is Oracle, of course it would be ridiculous to expect that the “tab” in the view stands for table…  One would almost think there would be a dba_obj_privs (as with dba_obj_audit_opts) but of course not.  Don’t let the column name ‘TABLE_NAME’ fool you either, TMPDIR below is actually just a directory.




Creating a DSN on Windows to Oracle 11

Fairly simple process, but wanted to note it for future.

First, downloaded the Oracle InstantClient (Basic) and InstantClient ODBC packages:


Then created a folder (C:\oracle_instantclient) and extracted the two downloaded zip files inside the folder.  Both will create and extract into a folder named instantclient_11_2.

While here, I also created a tnsnames folder for steps below.


Inside the instantclient_11_2 folder I ran odbc_install.exe – Oracle could do a better job of feedback, as all I saw was a flash of a command prompt, but whatever…

Then in Environment Variables I added C:\oracle_instantclient\instantclient_11_2 to the PATH variable, and created a TNS_ADMIN variable pointing at my tnsnames folder (C:\oracle_instantclient\tnsnames).

path_variable tnsnames_variable

I created a tnsnames.ora file inside of the tnsnames directory, and added a tns entry



I’m using the 32 bit client, so instead of using the default ODBC administrator, I launch the 32 bit version from C:\Windows\SysWOW64\odbcad32.exe.


I can now see and use the ODBC driver for Oracle:






« Older Entries