Lesson Learned #141: The target principal name is incorrect connecting to Azure SQL Database.

This post has been republished via RSS; it originally appeared at: Azure Database Support Blog articles.

Today, I worked on an interesting service request where our customer tried to connect using the FQDN of their private link endpoint - servername.privatelink.database.windows.net and our customer got the error: Error 0 - The target principal name is incorrect. Why?

Here we have two issues to explain:

• First of all, when you created a private link there is not needed to connect to the server using the FQDN private link, basically, you need to pay attention in how you have created the private link. If you enabled the Private DNS for a specific VNET and Subnet, you are going to have a new entry in your DNS with the new IP resolution of you Azure SQL Database servername.database.windows.net. If you didn't enable this private DNS or you didn't allow to update the DNS entry, the resolution will be the public IP. For this reason, it is very important to know this first thing. Please, always check the DNS resolution when you have enable a private endpoint. 
• Second, when you establish the connection to Azure SQL Database, in order to encrypt the data, our gateway encryt this using the certificate that we have for the domain *.database.windows.net. For this reason, if you tried to connect servername.privatelink.database.windows.net you are going to have this error message about "Error 0 - The target principal name is incorrect" if you want to skip this validation, basically you need to specify in your connection string the parameter "Trust Server Certificate" and you would be able to connect. But, my recomendation is always use the servername.database.windows.net and configure correctly your DNS to prevent any additional problem.

Enjoy