When Foglight agents are configured to monitor both a SQL Server Availability Group (AG) listener and the primary node directly, SQL Server error logs may show repeated SSPI handshake failures and Kerberos authentication errors.
Monitoring SQL Server AG (Availability Group) listeners is currently not supported.
Monitoring both the AG listener and the primary node causes Foglight to make duplicate authentication attempts to the same SQL Server instance. This can result in SSPI handshake failed messages and Kerberos/SPN-related errors in the SQL Server error log, such as:
SSPI handshake failed with error code 0x8009030c
Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
This occurs because both agents connect to the same SQL Server node (the AG primary), often using the same service account, which can trigger SPN conflicts or authentication failures.
Only configure Foglight agents to monitor the individual AG nodes directly. Do not monitor the AG listener as a separate agent.
Remove any agent configured for the listener to prevent duplicate authentication attempts and SSPI/Kerberos errors in SQL Server logs.
Ensure SPNs are correctly registered to the SQL Server service account if Kerberos authentication is required.
An enhancement ISMTS-431 has been requested for Foglight to automatically detect and warn users when both an AG listener and its underlying primary node(s) are being monitored, to prevent unsupported configurations and reduce troubleshooting time. This will be reviewed by Product Management for consideration in a future release of the SQL Server cartridge.
