Released: Kerberos Configuration Manager for SQL Server

Released: Kerberos Configuration Manager for SQL Server

Rate This
  • Comments 9

Kerberos Configuration Manager for SQL Server (KerberosConfigMgr) was released on May 15th 2013, and is available for download at the Microsoft Download Center at

This diagnostic tool can help to troubleshoot Kerberos-related configuration issues with SQL Server, which is very exciting for us because Kerberos authentication plays a critical role in many BI-related authentication and delegation scenarios, such as to enable multi-tier BI solutions to access external data sources securely on behalf of the user. To enable end-to-end delegation all the way from the client through the middle-tier components to the external data sources, a Service Principal Name (SPN) must be registered within Active Directory Domain Services (AD DS) for each SharePoint service account, and then Kerberos Constrained Delegation (KCD) must be configured, which can be quite challenging in enterprise environments with complex AD topologies.

Even though SharePoint shared services, such as Excel Services, Performance Point Services, and SQL Server Reporting Services, can use the EffectiveUserName connection string property of Analysis Services for per-user authentication and eliminate in this way the need to configure KCD between SharePoint shared services and Analysis Services, KCD is still a requirement if Analysis Services is supposed to access further data sources, such as SQL Server databases on behalf of the user. One example is Analysis Services running in PowerPivot mode performing data refresh for an interactive user. Another example is Analysis Services running in Tabular mode hosting a data model with DirectQuery enabled.

KerberosConfigMgr can perform the following functions:

  • Gather information on OS and Microsoft SQL Server instances installed on a server.
  • Report on all SPN and delegation configurations on the server.
  • Identify potential problems in SPNs and delegations.
  • Fix potential SPN problems.

For more information about KerberosConfigMgr, visit the Microsoft Download Center.

Leave a Comment
  • Please add 4 and 7 and type the answer here:
  • Post
  • I can see the constrained delegation configured for my SharePoint service account to the MSOLPSvc.3 service on my SQL 2012 SSAS server, however, this tool does not show any evidence of the Kerberos configuration.  I am assuming the tool is correct since I am having issues connecting over the double hop, but I can see the SPN records when running setspn -l from the command line.  There is no option to fix the Kerberos configuration.  What is the tool checking for, and what could I be missing?  Thanks!

  • The tool does not seem to be aware of AlwaysOn availability groups and the required Kerberos configuration thereof. When can we expect an updated version that is AlwaysOn cluster aware?

  • Kay - It was great meeting you at TechEd.

    This is awesome news. Looking forward to downloading and testing this tool. Will report back with any issues or comments.

  • I little half-heartd I am afraid given it was originally developed in 1999! Great idea, certainly well overdue, but not really that helpful. SPN generator is useful though, too bad it only does it for database engine, not the analysis services.

  • is there any way this could be open sourced so the community can contribute to the development or  created as a command line tool, so that it can be used in large environments

  • Hello,

    great Blog entry. But it is missing the most important and simple point: HOW TO START THE TOOL. It doesn't create start menu icon. And maybe how to use it.


  • if you used the default installation path, then go to the following folder:

    C:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server\

    double click the KerberosConfigMgr.exe  to launch the application.

    see blog:

  • For the record @John D , it already works as a command line tool. You can try it by running it from command prompt with the -h flag. If no flags are used, it's launched with a gui.

  • So people know - if you're using an alias on a client to point to a default instance, you need to register a SPN for


    This tool won't suggest it, but connections through the alias will make requests with the 1433 port, and it will fail. You could blow almost two weeks troubleshooting this... ask me how I know.

Page 1 of 1 (9 items)