I am trying to figure out what is going on. Here is our setup:
We have four SQL servers that are in replication with each other.

We add a new user to Windows Active Directory and add them to a group that is in SQL Server that we have been using for ages.

The new user, when trying to authenticate using Windows authenication returns that error in the subject line. But, any users that were previously in Active directory work fine.

At one point I had gotten SQL Server “caught up” becauuse we had a group of users that could not log in because of this error. I did some changes to the SPNs and ended up making it so no one could log in. Then I realized how the SPNs were supposed to look and fixed it. Then I guess some magic happened and those users were able to authenticate. I thought it was fixed, but it is obviously not as we had to add one new user and they cannot authenticate.

What is interesting is that the user can authenticate with three out of the four SQL Servers. It is only this one server that is working incorrectly. I set up two SPNs for the SQl Service on this sql server.

They look like –

MSSQLSvc/[servername].[domain].local:1433

MSSQLSvc/[servername]:1433

These are actually registered to the Service account that we use for the SQL Servers. What is interesting is that I can’t find the SPNs for the servers that are working anywhere.

Any help would be appreciated!

Edit: Also, another point to note is that if I try to add the user directly as a login into SQL server. I right click Logins and click Add Login then click search. I then type in [Domain]\[Username] and click check names. It validates the name as being correct. Then I click OK. And then OK again, and it gives the Error Windows NT user or group ‘[Domain]\[Username]’ not found. Check the name Again.