Post reply

SPN and CAP

  • July 10, 2012 at 2:27 am

    #258583

    Hi,

    Can kerberos be used against a Client Access Point in a SQL Server cluster? I registered SPN's for the SQL Server service account using setspn, but the authentication scheme is still showing NTLM.

    thanks,

    Andy

  • July 10, 2012 at 4:46 am

    #1510810

    adb2303 (7/10/2012)

    Hi,

    Can kerberos be used against a Client Access Point in a SQL Server cluster? I registered SPN's for the SQL Server service account using setspn, but the authentication scheme is still showing NTLM.

    thanks,

    Andy

    yes you do register SPNs for the virtual network name or client access point, what was the exact SPN command you used?

    Do any connections show Kerberos for the authentication scheme?

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • July 10, 2012 at 7:10 am

    #1510891

    Hi,

    The CAP is called MIRRORSERVER. I can connect to MIRRORSERVER\INSTANCE1 via SSMS, but when I run: select auth_scheme from sys.dm_exec_connections where session_id = @@spid, it comes back NTLM. If I connect to the main virtual server name, i.e. SQLCLUSTER1\INSTANCE1 via SSMS and run the same query, I get kerberos back.

    I used:

    setspn -A MSSQLSvc/MIRRORSERVER.it.palm.co.uk:49611 palm\sqlservice

    setspn -A MSSQLSvc/MIRRORSERVER.it.palm.co.uk:INSTANCE1 palm\sqlservice

    If I run setspn -L palm\sqlservice, I can see the SPNs with the exact same format as other working SPNs.

    MSSQLSvc/MIRRORSERVER.it.palm.co.uk:49611 --not working CAP

    MSSQLSvc/MIRRORSERVER.it.palm.co.uk:INSTANCE1 --not working CAP

    MSSQLSvc/SQLCLUSTER1.it.palm.co.uk:49611 --working

    MSSQLSvc/SQLCLUSTER1.it.palm.co.uk:INSTANCE1 --working

    Hope this makes sense.

    Thanks, Andy

  • July 10, 2012 at 7:37 am

    #1510912

    what is the vritual network name for the clustered instance you are trying to connect to?

    (i.e. the one provisoned in the clustered application group in Failover cluster manager)

    A client acces point in Windows 2008 clusters merely represents a unique IP and virtual network name to be used for connecting to the clustered application.

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply