Article describing registration of Active Directory Service Principal Names (SPN) and troubleshooting.
Registration of SPN’s have 2 most common used variants:
- Registration of SPN to specific Computer Object (this method is used when service is not running under AD domain account like SQL Server, etc.)
- Registration of SPN to specific Domain Account (this method is used when service is running under AD domain account like SQL Server, etc.)
Registration of SPN to specific Computer Object
Error log message with wrong kerberos authentication because of missing SPN for “MSSQLSvc” service running under local account “NT Service\MSSQL$DB01” on a server “DBSRV01.contoso.corp” using Instance “DB01”:
SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated. Service Account: NT Service\MSSQL$DB01 Missing SPNs: MSSQLSvc/DBSRV01.contoso.corp:DB01 Misplaced SPNs:
To FIX this problem logon to server/DC which is in same domain like server DBSRV01.contoso.corp and run following command from CMD/Powershell:
setspn -s "MSSQLSvc/DBSRV01.contoso.corp:DB01" "DBSRV01"
Description of command:
- setspn.exe -s – add arbitrary SPN after verifying no duplicates exist
- “MSSQLSvc/DBSRV01.contoso.corp:DB01” – register SPN for service with name MSSQLSvc on server DBSRV01.contoso.corp running Instance with name DB01.
- “DBSRV01” – register SPN to this AD Computer Object.
Registration of SPN to specific Domain Account
Error log message with wrong kerberos authentication because of missing SPN for “MSSQLSvc” service running under domain account “CONTOSO\SVC_SQL03” on a server “DBSRV03.contoso.corp” using Instance running on port “1433” and on computer object:
SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated. Service Account: CONTOSO\SVC_SQL03 Missing SPNs: MSSQLSvc/DBSRV03.contoso.corp, MSSQLSvc/DBSRV01.contoso.corp:1433 Misplaced SPNs: Duplicate SPNs:
To FIX this problem logon to server/DC which is in same domain like server DBSRV03.contoso.corp and run following command from CMD/Powershell:
setspn -s "MSSQLSvc/DBSRV03.contoso.corp" "CONTOSO\SVC_SQL03" setspn -s "MSSQLSvc/DBSRV03.contoso.corp:1433" "CONTOSO\SVC_SQL03"
Description of command:
- setspn.exe -s – add arbitrary SPN after verifying no duplicates exist
- “MSSQLSvc/DBSRV03.contoso.corp” – register SPN for service with name MSSQLSvc on server DBSRV03.contoso.corp running Instance on Computer Object.
- “MSSQLSvc/DBSRV03.contoso.corp:1433” – register SPN for service with name MSSQLSvc on server DBSRV03.contoso.corp running Instance on port 1433.
- “CONTOSO\SVC_SQL03” – register SPN to this AD Account.
Troubleshooting
- The operation failed because SPN value provided for addition/modification is not unique forest-wide.
Same SPN value already exists in a domain during registration of SPN. We need to find duplicate and remove it. Start powershell, import AD module (Import-Module ActiveDirectory) and start search query:
Search query for AD User Account:
Get-ADUser -Filter {serviceprincipalname -like "MSSQLSvc/DBSRV03.contoso.corp:1433"}
Search query for Computer Account:
Get-ADComputer -Filter {serviceprincipalname -like "MSSQLSvc/DBSRV01.contoso.corp:DB01"}