App Control: Cannot Generate SSPI Context
search cancel

App Control: Cannot Generate SSPI Context


Article ID: 288706


Updated On:


Carbon Black App Control (formerly Cb Protection)


  • Console displays a Fatal Error similar to:
    Network error while trying to communicate with Carbon Black App Control Server
    Error: Could not connect to host
  • ServerLog.bt9 contains errors similar to:
    Connection attempt failed: [Microsoft][SQL Server Native Client 11.0]SQL Server Network Interfaces: The target principal name is incorrect.
    [Microsoft][SQL Server Native Client 11.0]Cannot generate SSPI context
    [Microsoft][SQL Server Native Client 11.0]Invalid connection string attribute
    CConnection::Connect: Giving up on trying to reconnect to the database.


  • App Control Server: All Supported Versions
  • Microsoft SQL Server: All Supported Versions


Communication and/or authentication issues exist between the local application server hosting the Console, and the remote SQL Server hosting the database.


  1. Verify the permissions for the Carbon Black Service Account have not changed.
  2. Verify changes to the TLS/Cipher Suites in the Operating System have not occurred.
    • The application server hosting the Console must be able to communicate with the Domain Controller (if necessary) to validate credentials.
    • The application server hosting the Console must be able to communicate with the SQL Server.
    • A mismatch in Cipher Suites will cause communication disruption.
  3. Log in to the application server hosting the Console as the Carbon Black Service account.
    • This verifies the domain account is not locked out.
    • This verifies any connection attempt will be made using the same credentials as App Control.
  4. Use an administrative PowerShell to Test-ComputerSecureChannel:
    Test-ComputerSecureChannel -Verbose
  5. If this returns False attempt to repair the Active Directory secure channel using the following PowerShell command:
    Test-ComputerSecureChannel -Repair -Verbose -Credential Domain\DomainAdmin
  6. When prompted, enter the credentials for a user that is a member of the Domain Administrator group.
  7. If this also fails, the computer may need to be fully removed from the Domain and added back in to fully re-establish trust.