April 28, 2016 at 2:53 am
After rebooting the server running Windows Server 2012 and SQL Server 2012 there was are an entry in the error log;
Message
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/SERVERNAME.DOMAIN.ORG:52163 ] for the SQL Server service. Windows return code: 0x2098, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
But when I run the query:
select auth_scheme from sys.dm_exec_connections
I can see KERBEROS connectins active. How is that possible? When I run setspn -L SQLServiceAccount on the server there are no SPN registered for that SQL instance using the domain SQLServiceAccount.
Thanks
April 28, 2016 at 7:50 am
There is a free downloadable program from MS called "Kerebos Configuration Manager", if you search on it, you should be able to download it and run it against your server(s) and the tool willl tell you is an spn is missing and even create the necessary spns without you having to run the command line commands. We use it all the time and it is has been a great help to us - time saver.
April 28, 2016 at 8:44 am
Thanks a lot - I didn't know about that tool.
After installing and running Kerberos Configuration Manager I get an error message: Unable to access User Principal information from the System.
So no luck for me to solve the problem.
Thank you for your help.
April 28, 2016 at 8:54 am
I searched on your error, and I think is is pointing to a permission issue, please make sure your account, or the account you are accessing the server with the tool has admin rights (in the admin group on the server) to it when you run the tool. Take a look at this thread - similar to your issue - http://serverfault.com/questions/628964/kerberos-configuration-manager-for-sql-server-error-unable-to-access-user-princ
Hope this helps.
April 28, 2016 at 10:15 am
Tried everything with no luck at all. I'll create tomorrow a brand new service account for SQL Service and check everything again. I also tried KERBEROS tool on another server using local admin and domain admin - the same error...
Thanks a lot for your help.
April 29, 2016 at 3:58 am
Finally managed to fix it: SQL Server service account needs "Write public information" permission set to Allow. All tested and working after changing permission.
Thanks for help.
January 5, 2017 at 7:06 am
where did u fix the "sql service account's permissions"?
Paresh Motiwala Manager of Data Team, Big Data Enthusiast, ex DBA
January 5, 2017 at 11:58 am
Paresh Motiwala (1/5/2017)
where did u fix the "sql service account's permissions"?
You would add those permissions to the account in Active Directory.
Sue
May 17, 2018 at 5:12 am
Finally managed to fix an issue whereby the SPN was created but could not connect via server name only IP..
Fix was to use the fully qualified domain name in the registration rather than just the server name, deleted the old one and registered using FQDN and worked, hope this helps someone
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply