June 19, 2015 at 4:36 am
Hi All,
Its a SQL Server 2012 two node cluster on windows 2012 R2 std edition
Getting below error in sql server errorlog.
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/virtualname ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentica
The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/virtualname ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authe
When we run setspn -L serviceaccnt, get the below error.
Ldap Error(0x22 -- Invalid DN Syntax): ldap_search_s
What could be the issue ?. How to resolve this and manually register the SPN ?
Thanks in advance.
San.
June 19, 2015 at 6:59 am
What is the serviceaccount you are specifying to setspn? Is it a domain user account, a computer account, a virtual account? It sounds like you are specifying the account name incorrectly to setspn.
Joie Andrew
"Since 1982"
June 20, 2015 at 8:06 pm
Joie Andrew (6/19/2015)
What is the serviceaccount you are specifying to setspn? Is it a domain user account, a computer account, a virtual account? It sounds like you are specifying the account name incorrectly to setspn.
Hi Joie,
I was specifying a domain user account under which the sql service runs.
What exactly do I need to specify there ?
Thanks,
San.
June 23, 2015 at 6:00 am
Joy Smith San (6/20/2015)
Joie Andrew (6/19/2015)
What is the serviceaccount you are specifying to setspn? Is it a domain user account, a computer account, a virtual account? It sounds like you are specifying the account name incorrectly to setspn.Hi Joie,
I was specifying a domain user account under which the sql service runs.
What exactly do I need to specify there ?
Thanks,
San.
To register an SPN please see the following Kb from Microsoft
https://msdn.microsoft.com/en-us/library/ms191153.aspx
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
June 23, 2015 at 7:57 pm
Hi Perry,
I was referring that link only, however it did not work. I suspect some permission issue.
I had changed the service account of SQL cluster after the installation through configuration manager.
Service account is a domain account with local administrator rights on nodes.
Does it need to have any other permission for registering SPN for that service account ?
Thanks,
San.
June 23, 2015 at 10:31 pm
When we run setspn -L serviceaccnt, get the below error.
Ldap Error(0x22 -- Invalid DN Syntax): ldap_search_s
This is not the command you are trying to run to register the SPN is it? The -L parameter is only for listing the SPNs registered to an account. For registering the SPN you should try something more along the lines of this:
setspn -S MSSQLSvc/[sqlinstance] [domain]\[svcaccount]
Where [sqlinstance] is the name of the db instance, [domain] is the name of the Active Directory domain and [svcaccount] is the name of the service account running the SQL Server service.
Joie Andrew
"Since 1982"
June 24, 2015 at 7:48 pm
No Joie.
setspn -S MSSQLSvc/[sqlinstance] [domain]\[svcaccount]
I was running exactly the same command. Then it gave the message "Updated SPN...." but still logging this error in errorlog and was using NTLM authentication only. So I was trying to list out the SPNs registered for that service account, then the above error.
I suspect the SPN din't get registered properly. Now to troubleshoot, no idea where to start with.
Active Directory team is not cooperating much and just say they are not aware about SPNs 🙂 .
Thanks.
June 25, 2015 at 12:28 am
Ah, I see. Well if setspn said it updated the object in AD when you ran the command I would not worry too much about entries in the SQL log; that is just stating the service account did not have permissions to register the SPN itself meaning it will have to be done manually (which you did).
Was setspn run against the same DC/AD site where the SQL Server resides? If not it might take a while for AD replication to propagate that information thoughout the domain depending on how complicated your Active Directory architecture is.
Are there any problems with AD replication?
Another thing you can try is running setspn -X to see if there are any duplicate SPNs registered. That would mess things as well.
Are you actually getting errors indicating Kerberos is not working properly against SQL Server?
Joie Andrew
"Since 1982"
June 25, 2015 at 3:01 am
Are there any problems with AD replication?
Need to check with AD team
Another thing you can try is running setspn -X to see if there are any duplicate SPNs registered. That would mess things as well.
Will try this.
Are you actually getting errors indicating Kerberos is not working properly against SQL Server?
I checked sys.dm_exec_connections dmv, all remote windows logins are NTLM.
Server is still not live, so no complaints so far.
Thanks.
June 25, 2015 at 7:15 am
Joy Smith San (6/24/2015)
No Joie.
setspn -S MSSQLSvc/[sqlinstance] [domain]\[svcaccount]I was running exactly the same command. Then it gave the message "Updated SPN...." but still logging this error in errorlog and was using NTLM authentication only. So I was trying to list out the SPNs registered for that service account, then the above error.
I suspect the SPN din't get registered properly. Now to troubleshoot, no idea where to start with.
Active Directory team is not cooperating much and just say they are not aware about SPNs 🙂 .
Thanks.
The user account has to be trusted for delegation also, the SPNs may be manually manipulated via ADSIEdit, any good AD admin should be capable of this.
Check you don't have duplicate and incorrect SPNs registered against the user account this will also cause issues. Later versions of SETSPN actually check and report duplicates.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply