stackoom
  简体   繁体   中英

How to use SPN to connect via SSMS

 原文  2012-04-30 23:35:38       sql-server/ sql-server-2008/ sql-server-2008-r2

Question

I've just completed registering our SQL Server 2008 R2 in AD with an SPN. I'm able to connect using SQLNCLI10.1 via OLEDB with the following keyword : 

Server SPN=MSSQLSvc/server.domain.local

and once connected, the following query verifies that Kerberos is being used : 

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid;

result: 

KERBEROS

however, i'm unable to figure out, or search the internet for information on, connecting within SSMS using the SPN. Adding the keywords suggested to "Additional Connection Parameters" just results in 

Keyword not supported: 'serverspn'
Keyword not supported: 'server spn'

Is is possible to connect within SSMS using SPN ? If i do so without specifying SPN, the test query returns: 

NTLM

2 answers

solution1
 0  2012-05-01 00:30:53

What commands did you use to create the SPNs?

You should have 2 SPNs for the service. 1 for server.domain.local and 1 for port 1433 (or whatever port your service is using).

Here's the examples from http://msdn.microsoft.com/en-us/library/ms191153.aspx : 

setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname
setspn –A MSSQLSvc/myhost.redmond.microsoft.com accountname

Once the SPNs are created, then Windows Authentication should be all that you need to get Kerberos.

To verify what SPNs are created you can use the following: 

setspn -l accountname

Additionally, if the service account has Write servicePrincipalName and Read servicePrincipalName permissions, it will automatically register the SPNs on startup.

See Clint's blog for more info: http://clintboessen.blogspot.com/2010/02/dynamically-set-spns-for-sql-service.html

solution2
 0  2015-11-03 19:41:09

Whenever you get NTLM it means that the SPN didn't register properly or that one of the accounts isn't on the domain. Otherwise, you should always get a KERBEROS connection. There are couple of things you need in place to ensure to always get a KERBEROS connection.

  • Make sure the login exists on the domain which SQL Server runs on.
  • Make sure that the login has sufficient perms on AD, login used for SQL service.
  • Manually create an SPN setspn -S MSSQLSvc/<domain.com> <login> . This command will check for duplicates before adding an SPN.
  • Above steps will ensure that the SPN is registered when you restart SQL server.

To verify a successful registration:

  • You can check in SSMS Management -> SQL Server Logs -> Current .
  • You could also run the following command in CMD setspn -L MSSQLSvc/<domain.com> <login>

After you have verified that the server SPN registered successfully, you can login with a domain account and run your test command. You should always get KERBEROS after this.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can not connect to local database via SSMS How to use SSMS in command prompt how to connect SQL Azure using local ssms? How to connect SSMS to Linux SqlServer in docker container? How to connect VS 2019 localdb to SSMS How do I connect to Hadoop using SSMS? How to unset default value in “Connect to Database” in SSMS Can't connect to LocalDB SQL Server in PHP but able to connect via SSMS? Connect to instance in SSMS I cant connect the SSMS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM