Re: Linked Servers - setspn - domain account
From: Mike Mortensen (mmortensen_at_#N#O#S#P#A#Mresolutionhealth.com)
Date: 05/27/03
- Next message: Alan Brewer [MSFT]: "Re: How do I install SP3a on SQL Server 2000 ?"
- Previous message: Paul Hathaway: "SQL Server 7.0 System Administration Book"
- In reply to: Jasper Smith: "Re: Linked Servers - setspn - domain account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 May 2003 19:30:40 -0000
Thanks you for your reply! I think my problem is somewhere in kerberos.
I'll have to turn on the logging. FQDNs are returned with the ping, so
that part is ok.
OH! Now i understand how the setspn stuff is supposed to work! The SPN
is added to the USER, not the SERVER! I use the same user account for
the sql service on both machines, perhaps that is causing some sort of
conflict? Perhaps that kerberos logging will answer my question.
Thanks again!
"Jasper Smith" <jasper_smith9@hotmail.com> wrote in
news:eAVy81rIDHA.2232@TK2MSFTNGP11.phx.gbl:
> It can be a serious PITA and yes the various docs are confusing :-)
> First of all I wouldn't use setspn, I tend to use ADSI Edit
> It's in the 2k support tools on any 2k server CD. However if you
> want to use setspn then the syntax is :
>
> setspn -A MSSQLSvc/SQLNLB02.DOMSQL.COM:1433 NLBSQL02Svc
>
> This is for a server called SQLNLB02 in the domain DOMSQL.COM
> with a SQL Service account of DOMSQL\NLBSQL02Svc
>
> You must also be able from the client to resolve the FQDN of the
> servers involved using ping -a servername i.e. it must return
>
> Pinging SQLNLB02.DOMSQL.COM [xxx.xxx.xxx.xxx]
>
> and not
>
> Pinging SQLNLB02 [xxx.xxx.xxx.xxx]
>
>
> Regardless of what anything else says, you just need to set up SPN's
> for the service accounts of the two SQL Servers involved. e.g.
>
> I have 2 servers and 2 service accounts as below
>
> Server1 : SQLNLB01
> ServiceAccount : NLBSQL01Svc
>
> Server2 : SQLNLB02
> ServiceAccount : NLBSQL02Svc
>
> Using ADSI Edit right click on the NLBSQL01Svc in the Users
> container and choose Properties.In the select a property to view
> listbox choose servicePrincipalName and then add a SPN like so
>
> MSSQLSvc/SQLNLB01.DOMSQL.COM:1433
>
> (where the FQDN of the server is the server that uses the account
> I'm editing as it's SQL Service account). Do the same for the second
> server and you should be up and running.
>
> What I find really useful is enabling Kerberos logging on all the
> computers involved. This will write to the event log and you'll be
> able to see exactly why it's failing. .
>
> To enable Kerberos logging look at
> http://support.microsoft.com/default.aspx?scid=kb;en-us;262177
>
> If you've got AD set up then it's generally a malformed SPN or
> poor name resolution (make sure you can ping -a the server IP
> addresses and get back a FQDN and not just a server name)
>
> This article also has some good stuff about Kerberos and SSPI
> http://support.microsoft.com/default.aspx?scid=kb;en-us;811889
>
> and this one lists some of the kerberos errors you might see
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;230476
>
- Next message: Alan Brewer [MSFT]: "Re: How do I install SP3a on SQL Server 2000 ?"
- Previous message: Paul Hathaway: "SQL Server 7.0 System Administration Book"
- In reply to: Jasper Smith: "Re: Linked Servers - setspn - domain account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
