I've just completed registering our SQL Server 2008 R2 in AD with an SPN. I'm able to connect using SQLNCLI10.1 via OLEDB with the following keyword :
Server SPN=MSSQLSvc/server.domain.local
and once connected, the following query verifies that Kerberos is being used :
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid;
result:
KERBEROS
however, i'm unable to figure out, or search the internet for information on, connecting within SSMS using the SPN. Adding the keywords suggested to "Additional Connection Parameters" just results in
Keyword not supported: 'serverspn'
Keyword not supported: 'server spn'
Is is possible to connect within SSMS using SPN ? If i do so without specifying SPN, the test query returns:
NTLM
What commands did you use to create the SPNs?
You should have 2 SPNs for the service. 1 for server.domain.local and 1 for port 1433 (or whatever port your service is using).
Here's the examples from http://msdn.microsoft.com/en-us/library/ms191153.aspx :
setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname
setspn –A MSSQLSvc/myhost.redmond.microsoft.com accountname
Once the SPNs are created, then Windows Authentication should be all that you need to get Kerberos.
To verify what SPNs are created you can use the following:
setspn -l accountname
Additionally, if the service account has Write servicePrincipalName and Read servicePrincipalName permissions, it will automatically register the SPNs on startup.
See Clint's blog for more info: http://clintboessen.blogspot.com/2010/02/dynamically-set-spns-for-sql-service.html
Whenever you get NTLM it means that the SPN didn't register properly or that one of the accounts isn't on the domain. Otherwise, you should always get a KERBEROS connection. There are couple of things you need in place to ensure to always get a KERBEROS connection.
setspn -S MSSQLSvc/<domain.com> <login>
. This command will check for duplicates before adding an SPN. To verify a successful registration:
Management -> SQL Server Logs -> Current
. setspn -L MSSQLSvc/<domain.com> <login>
After you have verified that the server SPN registered successfully, you can login with a domain account and run your test command. You should always get KERBEROS after this.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.