Service Principal Names

  • Comments posted to this topic are about the item Service Principal Names

  • Useful question.

    I find the documention on this is utterly awful, almost incomprehensible; so getting it right was quite a surprise. I wouldn't have been at all confident if I'd had to do this in real life - so I hope I'll remember the answer now.

    Tom

  • TomThomson (8/7/2014)


    Useful question.

    I find the documention on this is utterly awful, almost incomprehensible; so getting it right was quite a surprise. I wouldn't have been at all confident if I'd had to do this in real life - so I hope I'll remember the answer now.

    Totally agree Tom!

    Thanks for the Q, will attempt to remember this too!

  • Easy one, but just because I installed many SQL Servers that needed Kerberos Authentication.

  • Mighty (8/7/2014)


    Easy one, but just because I installed many SQL Servers that needed Kerberos Authentication.

    +1

  • This was removed by the editor as SPAM

  • We've been doing it at least once a week for last couple of months. Got it right. +1

  • easy

  • Thank for the post, new one to me.

    I really had no idea what is this all about, I just referred the help and got the below and then selected the match, for next few minutes I am going to spend some time on reading this. 🙂

    Setspn -s http/<computername>.<domainname>:<port> <domain-user-account>

    ww; Raghu
    --
    The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.

  • Thanks for the question Tom. I've never had to use Kerberos but it is always good to know how to implement different configurations.

  • Interesting... I always thought you needed both the FQDN and the NETBIOS name... at least that was a recommendation the last time I read up on it... 🙁



    --Mark Tassin
    MCITP - SQL Server DBA
    Proud member of the Anti-RBAR alliance.
    For help with Performance click this link[/url]
    For tips on how to post your problems[/url]

  • Nice to know....

  • Interesting and useful

  • Thanks for the question.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • Thanks for the question.

    Absolutely agree that the documentation is poor and incomplete. The docs do make more sense if you really understand how an SPN works in a kerberos environment - which I don't! Subjects such as Constrained Delegation also become clearer.

    Just a comment on Answer B. You can only specify the Instance Name when configuring an SPN for a non-TCP protocol. When registering the MSSQL Service for an SPN using TCP, you must specify the Port Number; the Instance Name is not valid. Which also means dynamic ports will not work for true Kerberos authentication.

    The Instance Name is valid for non-TCP protocols, such as Named Pipes and Shared Memory.

    The subject was discussed recently in the forum "Register SPN for SQL Service account"

    http://www.sqlservercentral.com/Forums/Topic1551205-1526-1.aspx

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply