Post reply

Automatic SPN registration by SQL Server service account for Kerberos Security

  • May 13, 2018 at 9:02 pm

    #330815

    What is the best practice to allow for automatic SPN registration by the SQL Service account.
    This is allowed if the SQL service account is a member of Domain Admin or local admin on the server ... neither of which are recommended.
    Alternatively, give the  SQL Service  account  access  to write to AD, again I have seen some commentary that this can also cause some problems.
    What is the community doing in this space?
    Regards
    Claude

  • May 14, 2018 at 2:38 am

    #1990316

    I did't see any best practise for SPN, but following the least rights best practise you should manually create SPN using setspn. You need to change SPN only after account change so it is not very often.

  • May 14, 2018 at 3:05 am

    #1990319

    The manual option is valid ... except that dynamically assigned SQL port numbers can change.

  • May 14, 2018 at 7:00 am

    #1990336

    claudio.l.gatto - Sunday, May 13, 2018 9:02 PM

    What is the best practice to allow for automatic SPN registration by the SQL Service account.
    This is allowed if the SQL service account is a member of Domain Admin or local admin on the server ... neither of which are recommended.
    Alternatively, give the  SQL Service  account  access  to write to AD, again I have seen some commentary that this can also cause some problems.
    What is the community doing in this space?
    Regards
    Claude

    The account granting permissions needs to be a domain admin. Not the service account.
    Permissions needed by the service account would be Read servicePrincipalName and Write servicePrincipalName.
    How to use Kerberos Authentication in SQL Server

    Sue

  • May 14, 2018 at 7:00 am

    #1990337

    But then you should set static port. SQL also keep this dynamic port as long as another service don't steal it from SQL, only then SQL generate new one, but still you should set static.

  • May 14, 2018 at 7:22 am

    #1990340

    e4d4 - Monday, May 14, 2018 7:00 AM

    But then you should set static port. SQL also keep this dynamic port as long as another service don't steal it from SQL, only then SQL generate new one, but still you should set static.

    The question was about security to have the service account create it's SPN. It will create it whether the port is static or dynamic. Dynamic ports change on startup - not while SQL Server is running. Dynamic ports are fine in a lot of situations - it doesn't always need to be static. The browser service tells the client what port the instance is listening on.

    Sue

  • May 14, 2018 at 7:26 am

    #1990341

    I prefer to have it so that the service account is granted the rights as described by Sue_H, rather than pre-staging them.

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply