14 Responses to Active Directory and Kerberos SPNs Made Easy!

  1. situs judi bola terpercaya May 26, 2019 at 2:39 pm #

    Helⅼo there! Ι could have ѕԝorn I’ve visited this sitе beforte but after goіng through many of the articles I realized it’s new too me.
    Anyhow, I’m certainly pleɑsed I found it and I’ll be book-mаrking it and checкing back regularly! https://mariagarri.blogspot.com/

  2. Eric April 28, 2019 at 9:46 am #

    I go to see day-to-day some web sites and information sites to read posts, however this webpage
    offers quality based writing.

  3. Wander April 22, 2019 at 10:48 pm #

    Still the best explanation on the web!!

  4. Srini Musunuri November 22, 2018 at 2:22 pm #

    Even though this old post but very thankful for explaining in simple terms. There was lot of confusion about this. Thanks for this post.

  5. Stephane Pellegrino October 25, 2018 at 10:00 pm #

    nice and useful explanation !!


  6. パンプス 大人気 November 12, 2013 at 2:13 am #

    Hello there! This blog post could not be written any better!
    Looking through this article reminds me of my previous
    roommate! He always kept preaching about this. I am going
    to send this article to him. Fairly certain he’s going to have a good read.
    Thanks for sharing!

  7. Chris July 1, 2011 at 5:32 pm #

    Thanks very much Rhys.
    That’s what I have done but still getting SSPI errors. Oh well, try again.

    • RhysGoodwin July 1, 2011 at 8:50 pm #

      Ok.a few more things to think about:
      -is there any kerberos delegation involved? What’s actually connecting to your sql server?
      -use kerbtray on the client to see what tickets you’re getting
      -use wirshark to look at kerberos errors, first at the client then at any other box involved. E.g. app server etc.

  8. Chris July 1, 2011 at 3:57 pm #

    Hi Rhys, just found your blog, really usefull.

    So when you look at the account domain\SQLSVC using adsi edit you will see the servicePrincipalName property set to MSSQLSvc/sql1 and MSSQLSvc/sql1.domain.com. Is that right?
    If you look at the machine account sql1 it will not have an entry for MSSQLSvc/sql1. Is that right?

    • RhysGoodwin July 1, 2011 at 4:15 pm #

      Yes exactly right. And no it shouldn’t have the same spn registered against the computer account. It can happen though. Duplicate spn issues are reported in domain contoller event logs IIRC but it pays to do a search for servicePrincipalName with a tool like Adexplorer. Especially if it’s not a new install and you’re changing service accounts. I don’t think setspn warns about duplicates. Some apps try to register SPNs them self if they have enough AD permission. I can’t remember what sql server does.


  1. Understanding Kerberos and NTLM authentication in SQL Server Connections | sccm road - August 12, 2013

    […] Simply explained SPN and Kerberos.. good blog! Another good article about Kerberos Constrained Delegation with SQL Server 2008 […]

  2. (2012-05-06) Setting Up SALESFORCE.COM With ADFS v2.0 « Jorge's Quest For Knowledge! - May 6, 2012

    […] more info on Kerberos SPNs see my Active Directory and Kerberos SPNs Made Easy […]

  3. SalesForce SSO with ADFS 2.0 – Everything you need to know - April 4, 2011

    […] more info on Kerberos SPNs see my Active Directory and Kerberos SPNs Made Easy […]

  4. MOSS Split Back-to-Back in the Real World - Part 1 :: Rhys Goodwin’s Weblog - June 27, 2009

    […] Previous Post […]

Leave a Reply