Service Principal Names

  • Tom Nicol

    SSCrazy

    Points: 2252

    Comments posted to this topic are about the item Service Principal Names

  • TomThomson

    SSC Guru

    Points: 104773

    Useful question.

    I find the documention on this is utterly awful, almost incomprehensible; so getting it right was quite a surprise. I wouldn't have been at all confident if I'd had to do this in real life - so I hope I'll remember the answer now.

    Tom

  • Gazareth

    One Orange Chip

    Points: 27737

    TomThomson (8/7/2014)


    Useful question.

    I find the documention on this is utterly awful, almost incomprehensible; so getting it right was quite a surprise. I wouldn't have been at all confident if I'd had to do this in real life - so I hope I'll remember the answer now.

    Totally agree Tom!

    Thanks for the Q, will attempt to remember this too!

  • Mighty

    SSCrazy Eights

    Points: 8819

    Easy one, but just because I installed many SQL Servers that needed Kerberos Authentication.

  • Carlo Romagnano

    SSC-Insane

    Points: 21987

    Mighty (8/7/2014)


    Easy one, but just because I installed many SQL Servers that needed Kerberos Authentication.

    +1

  • This was removed by the editor as SPAM

  • Yogeshwar Phull

    Default port

    Points: 1434

    We've been doing it at least once a week for last couple of months. Got it right. +1

  • adb2303

    SSCertifiable

    Points: 7586

    easy

  • Raghavendra Mudugal

    SSChampion

    Points: 10658

    Thank for the post, new one to me.

    I really had no idea what is this all about, I just referred the help and got the below and then selected the match, for next few minutes I am going to spend some time on reading this. 🙂

    Setspn -s http/<computername>.<domainname>:<port> <domain-user-account>

    ww; Raghu
    --
    The first and the hardest SQL statement I have wrote- "select * from customers" - and I was happy and felt smart.

  • Ken Wymore

    SSCoach

    Points: 16614

    Thanks for the question Tom. I've never had to use Kerberos but it is always good to know how to implement different configurations.

  • mtassin

    SSC-Insane

    Points: 23099

    Interesting... I always thought you needed both the FQDN and the NETBIOS name... at least that was a recommendation the last time I read up on it... 🙁



    --Mark Tassin
    MCITP - SQL Server DBA
    Proud member of the Anti-RBAR alliance.
    For help with Performance click this link[/url]
    For tips on how to post your problems[/url]

  • Anipaul

    SSC-Insane

    Points: 24681

    Nice to know....

  • Bangla

    Hall of Fame

    Points: 3137

    Interesting and useful

  • Koen Verbeeck

    SSC Guru

    Points: 258965

    Thanks for the question.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • Andy sql

    SSCrazy Eights

    Points: 9402

    Thanks for the question.

    Absolutely agree that the documentation is poor and incomplete. The docs do make more sense if you really understand how an SPN works in a kerberos environment - which I don't! Subjects such as Constrained Delegation also become clearer.

    Just a comment on Answer B. You can only specify the Instance Name when configuring an SPN for a non-TCP protocol. When registering the MSSQL Service for an SPN using TCP, you must specify the Port Number; the Instance Name is not valid. Which also means dynamic ports will not work for true Kerberos authentication.

    The Instance Name is valid for non-TCP protocols, such as Named Pipes and Shared Memory.

    The subject was discussed recently in the forum "Register SPN for SQL Service account"

    http://www.sqlservercentral.com/Forums/Topic1551205-1526-1.aspx

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply