Post reply

SPN Help Needed

  • April 21, 2023 at 1:27 pm

    #4177403

    We have a .NET web application on a web server [MyWebSvr] and the database for the application is on another server [MySQLSvr].

    The application is running fine and has been for years but the domain admin who setup the SPN's and delegation left the company years ago and did not document how the SPN's and delegation were setup.

    I'm a developer and a de-facto DBA.  I do not have domain admin access but our IT Manager does.  I've been asked to provide the IT Manager with information on how to setup the SPN's and delegation.  The reason is that we are preparing to build a new environment [MyNewWebSvr] and [MyNewSQLSvr] and we will need to know how to setup the new SPN's and delegation.

    When I setup the web server in our current environment, I configured the Kerberos provider in IIS and set the identity in the app pool to a domain service account [MyDomainSvcAccount].

    I read some articles online and started playing with setspn -L to see what is there now.  But I'm not sure that I'm using the command correctly or if I'm even running it on the correct server.

    Given the names [MyWebSvr], [MySQLSvr], and [MyDomainSvcAccount] can anyone tell me:

      <li style="list-style-type: none;">

    • The commands I need to see what's in place now and where to run those commands?
    • Where to look in AD for delegation settings and what they should be now in the old environment that is working?
    • Anything else I should be looking at that I don't even know enough to ask about?

    Given the names [MyNewWebsvr], [MyNewSQLSvr], [MyDomainSvcAccount] can anyone tell me:

      <li style="list-style-type: none;">

    • The commands I need to set the new SPN's?
    • Where to go in AD to set the new delegation settings?
    • Anything else that needs to be set?

    Any help is greatly appreciated

    Dave

  • April 21, 2023 at 1:50 pm

    #4177405

    have a read at this  https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver16

    with it you are likely able to determine it yourself.

    one thing you will need to determine is if you have a double hop situation - e.g. user connects to server A and executes a query through a linked server to server B - or uses something like a bulkinsert from a file on the network.

    if you do have this double hop you will also need to read this one https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008/ee191523(v=sql.100)?redirectedfrom=MSDN

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply