May 29, 2019 at 6:25 pm
I am using SQL Server 2014 and Windows Server 2012
I am getting an SPN failed to register in my SQL Logs on several of my servers.
The message is:
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [MSSQLSvc/Servername.DomainName:InstanceName ] for the SQL Server service. Windows return code: 0x200b, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.
I checked all my servers and found that a few servers are successfully registering the SPN and using Kerberos, but several are not registering the SPN successfully and using NTLM.
All the servers are using the Virtual Service Account - which is considered a local account
I suspect the problem is permission in Active Directory, so I checked the ADSIedit, but do not see the accounts domain\server$ witch is the account the virtual service account translates to
I guess I would need to see the difference between the servers that work and the servers that do not work, but what would I check.
I know I could manually register the SPN, but hoped I do not have to do this. Is manually registering the SPN a by product of using SQL Virtual Service Accounts. I hope not. I love not having to deal with the permission or the passwords
Any help is appreciated.
Jeff
May 29, 2019 at 9:07 pm
There is a tool for this called KerberosConfigMgr ... it makes things easier but keep in mind it isnt perfect.
https://www.microsoft.com/en-us/download/details.aspx?id=39046
Also, there is this command that will let you know if your server is using NTLM or Kerberos
SELECT net_transport,
auth_scheme
FROM sys.dm_exec_connections
WHERE session_id = @@spid;
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply