This is a pretty handy thing to know: SPNs are used when a specific service/daemon uses Kerberos to authenticate against AD. They map a specific service, port, and object together with this convention: class/host:port/name If you use a computer object to auth (such as local service): MSSQLSVC/tor-sql-01.domain.local:1433 If you use a user object to auth (such as a service account, or admin account): MSSQLSVC/username:1433 Why do we care about duplicate SPNs? If you have two entries trying to auth using the same Kerberos ticket (I think that's right...), they will conflict, and cause errors and service failures. To check for duplicate SPNs: The command "setspn.exe -X C:\Windows\system32>setspn -X Processing entry 7 MSSQLSvc/server1.company.local:1433 is registered on these accounts: CN=SERVER1,OU=servers,OU=resources,DC=company,DC=local CN=SQL Admin,OU=service accounts,OU=resources,DC=company,DC=local found 1 groups of duplicate SPNs. (truncated/s
Comments
Post a Comment