Service Principal Name (SPN)

Service Principal Name (SPN)

  • Comments 5

Did you know that beginning with SQL Server 2008, support for service principal names (SPNs) has been extended to enable mutual authentication across all protocols. Administators can now define their own SPNs. Thus SQL Server 2008 makes secure authentication more manageable and reliable by allowing clients to directly specify the SPN to use.

Fore more information, click here:

http://msdn2.microsoft.com/en-us/library/cc280459(SQL.100).aspx

----
Tres London
SQL Server Protocols
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights

Leave a Comment
  • Please add 8 and 4 and type the answer here:
  • Post
  • Tres,

    We are getting the following error:  

    The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

    OS is WIndows 2008 Enterprise

    and SQL Server 2008

    I tried to run the sql server with local admin account adn then with domain account. Both doesnt work.

    Any idea of such issue on this platform?

    Prashant Thakwani

  • This is an expected message if the server runs under local admin or any domain account.

    If you run SQL as Network Service or Local System, then the service will have ability to self-register it's SPN.

    If you run SQL as any other account, you will see this error message.  If you want to use Kerberos to connect to your SQL Server, you will need to manually register the SPN for the account that SQL Server is running under using the SetSPN tool.

    See this blog entry for more details:

    http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

  • Matt,

    thanks for the reply. Even if i am trying to run that thru Local System, it was giving me the same error message. Actually, i got the solution and have posted that to the msdn blog at

    http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/772834e7-9b96-4e88-bdc5-aebff246bfb4/

    Regards

    Prashant Thakwani

  • Don't know if you figured this out but you can use the following syntax as a complete line

    Setspn -A SQLSvcs/servername/instancename:1433 domainName\ServiceName

    then again using the FQDN

    Setspn -A SQLSvcs/servername/instancename.domainname.com:1433 DomainName\ServiceName

    Every time you setup an spn you need to do both.

  • Will a servername length greater than 15 characters prevent the SPN registration?  If so, is there a definitive statement of how servername length enters into this?

Page 1 of 1 (5 items)