SPN Failed to Register - Virtual Service Accounts

  • jayoub

    SSCertifiable

    Points: 6797

    I am using SQL Server 2014 and Windows Server 2012

    I am getting an SPN failed to register in my SQL Logs on several of my servers.

    The message is:

    The SQL Server Network Interface library could not register the Service Principal Name (SPN) [MSSQLSvc/Servername.DomainName:InstanceName ] for the SQL Server service. Windows return code: 0x200b, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.

    I checked all my servers and found that a few servers are successfully registering the SPN and using Kerberos, but several are not registering the SPN successfully and using NTLM.

    All the servers are using the Virtual Service Account - which is considered a local account

    I suspect the problem is permission in Active Directory, so  I checked the ADSIedit, but do not see the accounts domain\server$ witch is the account the virtual service account translates to

    I guess I would need to see the difference between the servers that work and the servers that do not work, but what would I check.

    I know I could manually register the SPN, but hoped I do not have to do this.  Is manually registering the SPN a by product of using SQL Virtual Service Accounts.  I hope not.  I love not having to deal with the permission or the passwords

    Any help is appreciated.

    Jeff

  • oogibah

    SSC Eights!

    Points: 802

    There is a tool for this called KerberosConfigMgr  ... it makes things easier but keep in mind it isnt perfect.

    https://www.microsoft.com/en-us/download/details.aspx?id=39046

     

    Also, there is this command that will let you know if your server is using NTLM or Kerberos

    SELECT net_transport, 
           auth_scheme 
    FROM sys.dm_exec_connections 
    WHERE session_id = @@spid;

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply