Allowing a Service Account to Manage Its Own Service Principal Name (SPN)

Wednesday, February 10, 2010
As a best practice, Microsoft recommends that SQL Server be run using a domain account. This account is sometimes referred to as the SQL service account. However, when you configure SQL with a domain account you will get an event in the SQL Logs:
The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.
Doing a Google or Bing Search takes you to multiple MSDN articles that have you running SETSPN to assign the SPN to the domain account that SQL server is using. This can be time consuming and subject to typos and other errors. If you don't set the SPN properly, Kerberos Authentication will not work and that stops pass through authentication from working.  See this article from the Microsoft SQL Server Protocols team for more information.

A simple and easier way to fix this is by using Active Directory Users and Computers to assign the Write Public Information permission to Self on the domain account that SQL is using, as shown below:

If you do this before installing SQL, no restarts are needed. If SQL Server is already running then you will need to restart SQL Server.

After applying this fix you will find the following event in the SQL Logs:
The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [ MSSQLSvc/servername.domain.com ] for the SQL Server service.
This will allow SQL to register the SPN on start up, and un-register the SPN on shutdown. It also helps when you remove a SQL server from the domain, in that when you shutdown SQL the SPN is unregistered, thus helping to keep your AD database cleaner.

You can also apply this method to other services that use a SPN and you are using a domain service account to run that service.

Special thanks to my colleague, Rick Romack, at Convergent Computing for this tip!
by at
Tags , ,

2 comments:

  1. AnonymousApril 20, 2011 at 4:37 PM

    Does this apply to SQL Server on MSCS? If so which versions of MSCS? I know MSCS 2003 and MSCS 2008 are different in very important ways such as the difference in service accounts vs. computer accounts for the SQL service.


    aenagy

    ReplyDelete
  2. Jeff Guillet - @exptaApril 20, 2011 at 5:16 PM

    It should apply to any server that registers its own SPNs, like SQL server does.

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.

Subscribe to: Post Comments (Atom)