Setting the Service Principal Name (SPN)

I've noticed that there are various posts and articles on setting the SPN for sql server.

Setting the SPN this will firstly allow client connections using Kerberos, and secondly get rid of this error in the sql errorlog.

The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x54b, state: 3. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

Most articles suggest adding the SPN manually using the SETSPN tool
e.g.

SETSPN -A MSSQLSvc/<SQL Server Name> <service account>

SETSPN -A MSSQLSvc/<SQL Server Name>:<port> < service account>

SETSPN -A MSSQLSvc/<Fully Qualified SQL Server Name> < service account>

SETSPN -A MSSQLSvc/<Fully Qualified SQL Server Name>:<port> < service account>

However another method is documented in the Microsoft support article KB811889.
This article explains how to configure the SQL Server service to crate the SPN dynamically by granting the service account the “Read servicePrincipalName” and “Write servicePrincipalName” rights in AD.

 

Published 06 August 2009 14:16 by StevenWhite
Filed under:

Comments

# Setting the Service Principal Name (SPN)

06 August 2009 17:26 by SqlServerKudos

Kudos for a great Sql Server article - Trackback from SqlServerKudos