The login is From an Untrusted Domain and Cannot be Used with Windows Authentication
While using SQL Server, DBAs, Application developers, Application users, etc may encounter various error based on the task they are trying to perform. One of the common erro, which can surface when any of the fore mentioned users try to connect to SQL Server instance is below.
Logon SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: IP Address]
Logon Error: 18452, Severity: 14, State: 1.
Logon Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: IP Address]
In the application or in the application logs, you may not see the entire error message or the error code and severity, which can only be found from SQL Server errorlog. If, we can reproduce the issue at will, then it is easy to find the exact error message logged to SQL errorlog, even other wise, the error message has IP address mentioned as well, which helps in identifying from where the connection is coming from. This error message is very common and can happen due to various reasons. There are several known causes for this error message which include issues with the password. This error message can also appear immediately after a password of the login has been changed which we are attempting to connect using the login. This error message occurs because of login credentials are cached. Incase this error message only appears intermittently in an application using Windows Authentication, it could be because the SQL Server cannot contact the Domain Controller to validate the user. This may be caused by connectivity issues or network issues like high network load stressing the hardware, or to a faulty piece of networking equipment or domain controller being down, etc.
One of the main reason why this error can occur is to isolate it to specific condition, where if this error message occurs every time when an application uses Windows Authentication while the client system and the SQL Server instance server are on separate machines, then we need to check if the account which is used to access SQL Server instance is a domain account or not. If the account being used is a local account on the client machine, then this error message will occur because the SQL Server machine and the Domain Controller cannot recognize a local account on a different machine. Another common reason is if the user connecting in is a domain account from a different and untrusted domain from the SQL Server’s server domain. Another reason could be related to SPNs, where SPNs registered for SQL Server may be incorrect or duplicate ones exist. Another reason could be that SQL Server Authentication is not enabled. Other than these, there could be other reasons too.
Hope this was helpful.
This is applicable for below versions of SQL Server
SQL Server 2005
SQL Server 2008 R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
In-Depth Blogs on SQL Server, Information about SQL Server Conferences and Events, Frequently asked questions, SQL Server Trainings