Re: SuperSocket Error 19011

From: Bill Cheng [MSFT] (billcheng@online.microsoft.com)
Date: 02/12/03

• Next message: mark story: "answered..."
• Previous message: Alan Brewer [MSFT]: "Re: MSDE and Slammer worm"
• In reply to: Graham Stott: "Re: SuperSocket Error 19011"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: billcheng@online.microsoft.com (Bill Cheng [MSFT])
Date: Wed, 12 Feb 2003 07:48:35 GMT

Hi Graham,

I understand that the account is added to LOCAL ADMINISTRATORS group and
now the only warning message is: SuperSocket info: (SpnRegister) : Error
8344.

According to my experience, usually if you use domain administrator account
as SQL Server service account, it can register the SPN successfully. It
should use DsWriteAccountSpn API call to register the SPN with Active
Directory. According to the documentation, the DsWriteAccountSpn function
registers the SPNs for one or more instances of a service. SPNs are used by
clients, in conjunction with a trusted authentication service, to
authenticate the service. To protect against security attacks where an
application or service fraudulently registers an SPN that identifies some
other service, the default DACL on user and computer accounts allows only
domain administrators to register SPNs in most cases.

One exception to this rule is that a service running under the LocalSystem
account can call DsWriteAccountSpn to register a simple SPN of the form
"ServiceClass/Host:Port" if the host specified in the SPN is the DNS or
NetBIOS name of the computer on which the service is running.

Since the domain account is a standard account, it may not have enough
privileges to register the SPN with AD. You may try to manually create the
SPN. You may check with AD-specific newsgroup to see if this property can
be granted to the user (it should be a property), e.g.
microsoft.public.active.directory.interfaces.

For more information on DsWriteAccountSpn ,visit the following Microsoft
website:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/d
swriteaccountspn.asp

This posting is provided "AS IS" with no warranties, and confers no rights.

Regards,
  
Bill Cheng
Microsoft Support Engineer
--------------------
| From: "Graham Stott" <graham.stott@7im.co.uk>
| References: <uMsSwPS0CHA.2592@TK2MSFTNGP10>
<9nFbRmZ0CHA.2136@cpmsftngxa08>
| Subject: Re: SuperSocket Error 19011
| Date: Tue, 11 Feb 2003 09:17:43 -0000
| Lines: 64
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <OTG6i5a0CHA.1628@TK2MSFTNGP10>
| Newsgroups: microsoft.public.sqlserver.security
| NNTP-Posting-Host: 195.224.166.110
| Path: cpmsftngxa08!cpmsftngxa06!TK2MSFTNGP08!TK2MSFTNGP10
| Xref: cpmsftngxa08 microsoft.public.sqlserver.security:11508
| X-Tomcat-NG: microsoft.public.sqlserver.security
|
| Bill,
| Thanks for the reply. The SQL server runs under a standard domain user
| account with no extra privileges. When I add it to the local
administrators
| group the error disappears but the warning message remains. I've added the
| log file to this message. What privileges should the account have in order
| to register with the AD? I've checked the server properties and they're
set
| so that the server shouldn't be registering with the AD but I suppose that
| doesn't necessarily mean much.
|
| I'll look forward to your thoughts.
| Cheers,
| Graham
|
| ---- 8< ------------------------------------------
| 2003-02-11 08:52:47.76 server Microsoft SQL Server 2000 - 8.00.760
| (Intel X86)
| Dec 17 2002 14:22:05
| Copyright (c) 1988-2003 Microsoft Corporation
| Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 3)
|
| 2003-02-11 08:52:47.80 server Copyright (C) 1988-2002 Microsoft
| Corporation.
| 2003-02-11 08:52:47.80 server All rights reserved.
| 2003-02-11 08:52:47.80 server Server Process ID is 836.
| 2003-02-11 08:52:47.80 server Logging SQL Server messages in file
| 'C:\Program Files\Microsoft SQL Server\MSSQL\log\ERRORLOG'.
| 2003-02-11 08:52:47.96 server SQL Server is starting at priority class
| 'normal'(1 CPU detected).
| 2003-02-11 08:52:49.05 server Performance monitor shared memory setup
| failed: -1
| 2003-02-11 08:52:49.51 server SQL Server configured for thread mode
| processing.
| 2003-02-11 08:52:49.55 server Using dynamic lock allocation. [2500]
Lock
| Blocks, [5000] Lock Owner Blocks.
| 2003-02-11 08:52:49.65 server Attempting to initialize Distributed
| Transaction Coordinator.
| 2003-02-11 08:52:52.68 spid3 Starting up database 'master'.
| 2003-02-11 08:52:57.14 server Using 'SSNETLIB.DLL' version '8.0.760'.
| 2003-02-11 08:52:57.14 spid5 Starting up database 'model'.
| 2003-02-11 08:52:57.30 spid3 Server name is 'SQLSERVER'.
| 2003-02-11 08:52:57.34 spid3 Skipping startup of clean database id 6
| 2003-02-11 08:52:57.41 spid3 Skipping startup of clean database id 7
| 2003-02-11 08:52:57.41 spid3 Skipping startup of clean database id 8
| 2003-02-11 08:52:57.51 spid8 Starting up database 'msdb'.
| 2003-02-11 08:52:57.52 spid9 Starting up database 'TestDB'.
| 2003-02-11 08:52:58.35 server SQL server listening on 172.16.15.143:
| 1433.
| 2003-02-11 08:52:58.35 server SQL server listening on 127.0.0.1: 1433.
| 2003-02-11 08:52:59.26 server SQL server listening on TCP, Shared
Memory,
| Named Pipes.
| 2003-02-11 08:52:59.33 server SQL Server is ready for client
connections
| 2003-02-11 08:52:59.79 spid5 Clearing tempdb database.
| 2003-02-11 08:53:08.09 spid5 Starting up database 'tempdb'.
| 2003-02-11 08:53:10.30 spid3 Recovery complete.
| 2003-02-11 08:53:13.85 logon Login succeeded for user
| 'DOMAIN\SQLServerAcct'. Connection: Trusted.
| 2003-02-11 08:53:18.29 spid51 Using 'xpsqlbot.dll' version
'2000.80.194'
| to execute extended stored procedure 'xp_qv'.
| 2003-02-11 08:53:19.74 logon Login succeeded for user
| 'DOMAIN\SQLServerAcct'. Connection: Trusted.
| 2003-02-11 08:53:39.77 logon Login succeeded for user
| 'DOMAIN\SQLServerAcct'. Connection: Trusted.
|
|
|

---

• Next message: mark story: "answered..."
• Previous message: Alan Brewer [MSFT]: "Re: MSDE and Slammer worm"
• In reply to: Graham Stott: "Re: SuperSocket Error 19011"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Ldap Binding + Kerbros error ... I was suggesting to perform an LDAP query using the exact filter a specified ... A servicePrincipalName (SPN) is the Kerberos name of a service on the ... server authenticates with the client. ... account that is used to execute the Windows process that "is" the service. ... (microsoft.public.windows.server.active_directory) Re: Delegation problems ... The connection string uses a variable defined in the web.config. ... the SPN you have on the service account? ... delegate from my web server to the SQL service on the DB server when I ... (microsoft.public.dotnet.framework.aspnet.security) Re: Delegation problems ... This sounds like an SPN problem. ... as a service account, did you add an SPN to that service account in AD that ... delegate from my web server to the SQL service on the DB server when I ... (microsoft.public.dotnet.framework.aspnet.security) Re: Delegation problems ... There are no SPNs on the machine account. ... did you add an SPN to that service account in AD ... delegate from my web server to the SQL service on the DB server when I ... (microsoft.public.dotnet.framework.aspnet.security) Re: Staffroom Website ... Also are we really decided we even need to register a domain name? ... It is free to create an account with Freeuk and www.staffroom.freeuk.com ... a couple of minutes to upload pages to the server. ... I would be prepared to set up the account. ... (uk.education.staffroom)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)