Hi,
In single server setups I have always used a single domain account for SQL services and set up the relevant SPNs, specifically for IIS "double-hop" issues.
I'm now supporting an existing 2016 cluster which has used different domain accounts for Agent and DB Engine services. Interestingly SPNs have only been setup for the domain account used for Agent service and not DB Engine. Also, only one server in the cluster is listed when doing setspn -l domain\SQLServiceAccount
Is this a mistake, or is this actually how it's supposed to be/work in cluster? It's 2-node Always-on.
Thanks
You'd register the SPNs using the SQL Server service account (not agent service). The SPNs for a cluster are setup using the virtual name, not the name of the individual nodes. Download and install the Kerberos Configuration Manager for SQL Server - it will validate and give you scripts to update if needed. And makes things way easier:
Microsoft Kerberos Configuration Manager for SQL Server
Sue
January 3, 2020 at 8:27 am
Thanks Sue. Yeah I thought you would do them against the cluster virtual name!
Sorry, what I meant is that the account used for the Agent Service is the only account that has SPNs registered, not that they were registered against the actual Agent Service. So:
Agent Service: domain\SQLServiceAccount1
DB Engine Service: domain\SQLServiceAccount2
setspn -l domain\SQLServiceAccount1
-> exists
setspn -l domain\SQLServiceAccount2
-> nothing exists
January 3, 2020 at 9:14 am
I would say it was setup incorrectly - the DB engine is the one that should have the SPN's.
As Sue mentioned download the tool and follow its recommendations
January 3, 2020 at 9:23 am
Yeah will do. I've never dealt with cluster SPNs before so wanted to make sure this wasn't actually correct!
Thanks both.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply