
Microsoft Always On VPN provides seamless and transparent remote access to corporate applications and data. In most cases, accessing resources over the VPN works the same as on-premises. However, a few folks have asked recently about an issue they found when using the SQL Server Management Studio (SMSS) to connect to a remote SQL server over Always On VPN.
Principal Name Incorrect
Administrators may encounter the following error message when using SMSS to connect to Microsoft SQL servers over an Always On VPN connection.
“The target principal name is incorrect. Cannot generate SSPI context. (Microsoft SQL Server)”
Resolution
There are a few different ways to resolve this issue. Choose the option that works best in your environment.
VPN Configuration
For Always On VPN deployments with Windows 11 24H2 and later clients, add the following setting to your XML configuration file.
<UseRasCredentials>false</UseRasCredentials>
For clients older than Windows 11 24H2, you must edit the rasphone.pbk file setting as follows.
UseRasCredentials=0
Group Policy
Optionally, a Group Policy Object (GPO) can be created and applied to target endpoints. For testing, you can enable this setting using the local group policy editor (gpedit.msc). Using either method, enable the following group policy setting.
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Do not allow storage of passwords and credentials for network authentication = Enabled
Registry Editor
This method can be used for local testing. Open the Windows Registry Editor (regedit.exe) on a test client and create the following entry.
Key = HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Name = DisableDomainCreds
Type = DWORD
Value = 1
PowerShell
The following PowerShell command will also create the required registry entry. Administrators can run the command interactively or deploy it via automation.
Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’ -Name DisableDomainCreds -Value 1