December 15, 2008 at 2:17 pm
I am using this for creating SPN for sql server 2005.
setspn -A MSSQLSvc/hq-dbadmin01.mydomain.com:1433 MYDOMAIN\sql.service.
is there any change in creating spn for sql server 2000 and 2005.
thanks
December 15, 2008 at 2:50 pm
Mike,
Check out these two blog posts for more info about SPNs. You run setspn on the command line and typically your domain admin does it (or you, if you've got domain admin rights)
http://kendalvandyke.blogspot.com/2008/11/delegation-what-it-is-and-how-to-set-it.html
http://kendalvandyke.blogspot.com/2008/11/delegation-more-on-service-principal.html
December 15, 2008 at 2:51 pm
December 15, 2008 at 3:36 pm
You also probably want to create an SPN without the port for a default instance on SQL Server 2000/2005. In SQL Server 2008, this is most certainly the case if you want to support other network libraries such as Named Pipes. SQL Server 2008 will support Kerberos across more than just TCP/IP.
And just one small point of clarification. Technically an SPN is a Kerberos thing. AD uses Kerberos and stores the SPNs, but SPNs are part of the Kerberos protocol. 🙂
K. Brian Kelley
@kbriankelley
December 16, 2008 at 8:34 am
December 16, 2008 at 9:52 am
kendal.vandyke (12/16/2008)
I guess what I meant to say was that SPNs are a "something outside of SQL" thing. Thanks for keeping me honest Brian.
I guess I'm a little touchy about it because about a year ago we had developers complaining about all this Kerberos stuff that "Microsoft came up with." It took a while to get them to understand that Microsoft didn't come up with Kerberos, MIT did, and that it wasn't just in Active Directory (google on heimdal for those who weren't aware of this).
K. Brian Kelley
@kbriankelley
December 19, 2008 at 9:28 am
Guys.. its driving nuts for me, though i setup authentication to KERBEROS still i cant run query from from servrB to servrC when logged into servrA
Here is my setup
Logged in ServrA and ran this query connecting to all 3 servers
select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid
Query from ServrA
net_transport=Shared memory, auth_scheme=NTLM
Query from ServrB
net_transport=TCP , auth_scheme=KERBEROS
Query from ServrC
net_transport=TCP , auth_scheme=KERBEROS
Ita the same thing when connected all the 3 servers. Logged into ServrA and connecting to ServrA gives NTLM when connected ot other 2 gives KERBEROS.
I am just wondering if this is the cause for failing my cross server queries.
December 19, 2008 at 9:36 am
December 19, 2008 at 10:02 am
I checked delegation on all 3 servers it returns "1" to me that means it is active.
When checked all the login sessions i see that they still use NTLM except my domain username which uses KERBEROS. Also restarted sql service as and when i changed settings
what shud i do now.
December 19, 2008 at 10:14 am
December 19, 2008 at 10:21 am
Are you using the FQDN in all connection strings? I know - stupid question, but have to ask it anyways.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
December 19, 2008 at 10:23 am
For delegation i checked with this query
select uses_self_credential as delegation
from sys.linked_logins as L, sys.servers as S
where S.server_id=L.server_id and S.name=N'LinkSErver'
Yes i did setup spn with setspn utility from cmdline.
December 19, 2008 at 10:25 am
December 19, 2008 at 11:11 am
Is everything (SQL Servers and user accounts) all in the same domain?
K. Brian Kelley
@kbriankelley
December 19, 2008 at 11:39 am
Yes all are in the same domain.
Viewing 15 posts - 1 through 15 (of 19 total)
You must be logged in to reply to this topic. Login to reply