Post reply

Service Principal Names

  • August 7, 2014 at 12:09 am

    #310012

    Comments posted to this topic are about the item Service Principal Names

  • August 7, 2014 at 12:45 am

    #1735848

    Useful question.

    I find the documention on this is utterly awful, almost incomprehensible; so getting it right was quite a surprise. I wouldn't have been at all confident if I'd had to do this in real life - so I hope I'll remember the answer now.

    Tom

  • August 7, 2014 at 2:53 am

    #1735878

    TomThomson (8/7/2014)

    Useful question.

    I find the documention on this is utterly awful, almost incomprehensible; so getting it right was quite a surprise. I wouldn't have been at all confident if I'd had to do this in real life - so I hope I'll remember the answer now.

    Totally agree Tom!

    Thanks for the Q, will attempt to remember this too!

  • August 7, 2014 at 3:45 am

    #1735892

    Easy one, but just because I installed many SQL Servers that needed Kerberos Authentication.

  • August 7, 2014 at 4:47 am

    #1735908

    Mighty (8/7/2014)

    Easy one, but just because I installed many SQL Servers that needed Kerberos Authentication.

    +1

  • August 7, 2014 at 5:27 am

    This was removed by the editor as SPAM

  • August 7, 2014 at 5:53 am

    #1735925

    We've been doing it at least once a week for last couple of months. Got it right. +1

  • August 7, 2014 at 7:32 am

    #1735959

    easy

  • August 7, 2014 at 10:46 am

    #1736090

    Thank for the post, new one to me.

    I really had no idea what is this all about, I just referred the help and got the below and then selected the match, for next few minutes I am going to spend some time on reading this. 🙂

    Setspn -s http/<computername>.<domainname>:<port> <domain-user-account>

    ww; Raghu
    --
    The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.

  • August 7, 2014 at 11:00 am

    #1736101

    Thanks for the question Tom. I've never had to use Kerberos but it is always good to know how to implement different configurations.

  • August 7, 2014 at 3:32 pm

    #1736224

    Interesting... I always thought you needed both the FQDN and the NETBIOS name... at least that was a recommendation the last time I read up on it... 🙁


    --Mark Tassin
    MCITP - SQL Server DBA
    Proud member of the Anti-RBAR alliance.
    For help with Performance click this link[/url]
    For tips on how to post your problems[/url]

  • August 8, 2014 at 12:21 am

    #1736295

    Nice to know....

  • August 8, 2014 at 12:23 am

    #1736296

    Interesting and useful

  • August 8, 2014 at 12:50 am

    #1736303

    Thanks for the question.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • August 11, 2014 at 5:24 am

    #1736797

    Thanks for the question.

    Absolutely agree that the documentation is poor and incomplete. The docs do make more sense if you really understand how an SPN works in a kerberos environment - which I don't! Subjects such as Constrained Delegation also become clearer.

    Just a comment on Answer B. You can only specify the Instance Name when configuring an SPN for a non-TCP protocol. When registering the MSSQL Service for an SPN using TCP, you must specify the Port Number; the Instance Name is not valid. Which also means dynamic ports will not work for true Kerberos authentication.

    The Instance Name is valid for non-TCP protocols, such as Named Pipes and Shared Memory.

    The subject was discussed recently in the forum "Register SPN for SQL Service account"

    http://www.sqlservercentral.com/Forums/Topic1551205-1526-1.aspx

Viewing 15 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic. Login to reply