Comments on: Active Directory and Kerberos SPNs Made Easy!

By: RhysGoodwin

RhysGoodwin — Fri, 01 Jul 2011 07:50:33 +0000

Ok.a few more things to think about:
-is there any kerberos delegation involved? What’s actually connecting to your sql server?
-use kerbtray on the client to see what tickets you’re getting
-use wirshark to look at kerberos errors, first at the client then at any other box involved. E.g. app server etc.

By: Chris

Chris — Fri, 01 Jul 2011 04:32:20 +0000

Thanks very much Rhys.
That’s what I have done but still getting SSPI errors. Oh well, try again.

By: RhysGoodwin

RhysGoodwin — Fri, 01 Jul 2011 03:15:10 +0000

Yes exactly right. And no it shouldn’t have the same spn registered against the computer account. It can happen though. Duplicate spn issues are reported in domain contoller event logs IIRC but it pays to do a search for servicePrincipalName with a tool like Adexplorer. Especially if it’s not a new install and you’re changing service accounts. I don’t think setspn warns about duplicates. Some apps try to register SPNs them self if they have enough AD permission. I can’t remember what sql server does.

By: Chris

Chris — Fri, 01 Jul 2011 02:57:45 +0000

Hi Rhys, just found your blog, really usefull.

So when you look at the account domain\SQLSVC using adsi edit you will see the servicePrincipalName property set to MSSQLSvc/sql1 and MSSQLSvc/sql1.domain.com. Is that right?
If you look at the machine account sql1 it will not have an entry for MSSQLSvc/sql1. Is that right?

By: SalesForce SSO with ADFS 2.0 – Everything you need to know

SalesForce SSO with ADFS 2.0 – Everything you need to know — Sun, 03 Apr 2011 12:57:20 +0000

[...] more info on Kerberos SPNs see my Active Directory and Kerberos SPNs Made Easy [...]

By: MOSS Split Back-to-Back in the Real World - Part 1 :: Rhys Goodwin’s Weblog

Sat, 27 Jun 2009 06:56:38 +0000

[...] Previous Post [...]