Service Principal Name (SPN)

  • Article

Did you know that beginning with SQL Server 2008, support for service principal names (SPNs) has been extended to enable mutual authentication across all protocols. Administators can now define their own SPNs. Thus SQL Server 2008 makes secure authentication more manageable and reliable by allowing clients to directly specify the SPN to use.

Fore more information, click here:

https://msdn2.microsoft.com/en-us/library/cc280459(SQL.100).aspx

----
Tres London
SQL Server Protocols
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights

Comments

  • Anonymous
    December 04, 2008
    Tres, We are getting the following error:   The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. OS is WIndows 2008 Enterprise and SQL Server 2008 I tried to run the sql server with local admin account adn then with domain account. Both doesnt work. Any idea of such issue on this platform? Prashant Thakwani

  • Anonymous
    December 04, 2008
    This is an expected message if the server runs under local admin or any domain account. If you run SQL as Network Service or Local System, then the service will have ability to self-register it's SPN. If you run SQL as any other account, you will see this error message.  If you want to use Kerberos to connect to your SQL Server, you will need to manually register the SPN for the account that SQL Server is running under using the SetSPN tool. See this blog entry for more details: http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

  • Anonymous
    January 22, 2009
    Matt, thanks for the reply. Even if i am trying to run that thru Local System, it was giving me the same error message. Actually, i got the solution and have posted that to the msdn blog at http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/772834e7-9b96-4e88-bdc5-aebff246bfb4/ Regards Prashant Thakwani

  • Anonymous
    February 19, 2010
    The comment has been removed

  • Anonymous
    January 31, 2012
    Will a servername length greater than 15 characters prevent the SPN registration?  If so, is there a definitive statement of how servername length enters into this?