15 Responses to Active Directory and Kerberos SPNs Made Easy!

  1. John January 23, 2021 at 11:26 am #

    Best explain of this I’ve ever read. Customers always believe it’s the client application generating the auth issue.

  2. Michael July 7, 2020 at 8:56 pm #

    Hi! I’m very new to this. Thanks for a very helpful post. How does the client know to ask for a MSSQLSvc/xxxx ticket? Is MSSQLSvc some kind of well known predefined service class?

  3. Freda October 18, 2019 at 8:15 am #

    This is the right webpage for everyone who hopes to find out
    about this topic. You know a whole lot its almost tough to argue with you
    (not that I really will need to…HaHa). You definitely put a fresh spin on a subject that
    has been discussed for many years. Great stuff, just excellent!

  4. Wander April 22, 2019 at 10:48 pm #

    Still the best explanation on the web!!

  5. Srini Musunuri November 22, 2018 at 2:22 pm #

    Even though this old post but very thankful for explaining in simple terms. There was lot of confusion about this. Thanks for this post.

  6. Stephane Pellegrino October 25, 2018 at 10:00 pm #

    nice and useful explanation !!


  7. パンプス 大人気 November 12, 2013 at 2:13 am #

    Hello there! This blog post could not be written any better!
    Looking through this article reminds me of my previous
    roommate! He always kept preaching about this. I am going
    to send this article to him. Fairly certain he’s going to have a good read.
    Thanks for sharing!

  8. Chris July 1, 2011 at 5:32 pm #

    Thanks very much Rhys.
    That’s what I have done but still getting SSPI errors. Oh well, try again.

    • RhysGoodwin July 1, 2011 at 8:50 pm #

      Ok.a few more things to think about:
      -is there any kerberos delegation involved? What’s actually connecting to your sql server?
      -use kerbtray on the client to see what tickets you’re getting
      -use wirshark to look at kerberos errors, first at the client then at any other box involved. E.g. app server etc.

  9. Chris July 1, 2011 at 3:57 pm #

    Hi Rhys, just found your blog, really usefull.

    So when you look at the account domain\SQLSVC using adsi edit you will see the servicePrincipalName property set to MSSQLSvc/sql1 and MSSQLSvc/sql1.domain.com. Is that right?
    If you look at the machine account sql1 it will not have an entry for MSSQLSvc/sql1. Is that right?

    • RhysGoodwin July 1, 2011 at 4:15 pm #

      Yes exactly right. And no it shouldn’t have the same spn registered against the computer account. It can happen though. Duplicate spn issues are reported in domain contoller event logs IIRC but it pays to do a search for servicePrincipalName with a tool like Adexplorer. Especially if it’s not a new install and you’re changing service accounts. I don’t think setspn warns about duplicates. Some apps try to register SPNs them self if they have enough AD permission. I can’t remember what sql server does.


  1. Understanding Kerberos and NTLM authentication in SQL Server Connections | sccm road - August 12, 2013

    […] Simply explained SPN and Kerberos.. good blog! Another good article about Kerberos Constrained Delegation with SQL Server 2008 […]

  2. (2012-05-06) Setting Up SALESFORCE.COM With ADFS v2.0 « Jorge's Quest For Knowledge! - May 6, 2012

    […] more info on Kerberos SPNs see my Active Directory and Kerberos SPNs Made Easy […]

  3. SalesForce SSO with ADFS 2.0 – Everything you need to know - April 4, 2011

    […] more info on Kerberos SPNs see my Active Directory and Kerberos SPNs Made Easy […]

  4. MOSS Split Back-to-Back in the Real World - Part 1 :: Rhys Goodwin’s Weblog - June 27, 2009

    […] Previous Post […]

Leave a Reply