Re: SetSPN problem
lakusha_at_excite.com
Date: 06/06/03
- Next message: Jasper Smith: "Re: SetSPN problem"
- Previous message: Carlos Eduardo Rojas: "Re: Does PUBLIC override user-defined roles?"
- In reply to: Jasper Smith: "Re: SetSPN problem"
- Next in thread: Jasper Smith: "Re: SetSPN problem"
- Reply: Jasper Smith: "Re: SetSPN problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 6 Jun 2003 15:31:50 -0400
Yes, I know. The problem is I CAN'T set it up with SETSPN and if I simply
set it up with ADSIEDIT, it doesn't work. With kerberos loging enabled I
have a truck load of errors in the log.
I renamed the server, I tried using a domain admin account (it worked and
the SPN entry in AD is an exact match to what we used with the normal domain
account). I tried on another server (same errors).
Next steps:
1. promote the account to domain admin and let it register itself and then
demote it and see what happens (yeah, I'm desperate).
2. Call M$
regards,
Eric
"Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
news:uZiSiaELDHA.1552@TK2MSFTNGP10.phx.gbl...
> The SPN is on the service account object not the server
> You will still get the SpnRegister error because the service
> account will not have the permissions required to set it. This
> is why you have to manually set it up. The only exceptions
> are when SQL is run under Local System or the service
> account is a member of domain administrators (neither of
> which are a good idea from a security point of view)
>
> --
> HTH
>
> Jasper Smith (SQL Server MVP)
>
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
>
> "lakusha@excite.com" <Lakusha@excite.com> wrote in message
> news:Ozng0H6KDHA.2312@TK2MSFTNGP09.phx.gbl...
> > My last post seem to have lost itself.
> >
> > Adding the SPN with ADSIEDIT works (users can login with trusted
> > connections, but I'm not sure why;). But I still have
> >
> > SuperSocket info: (SpnRegister) : Error 8344.
> >
> >
> >
> > In the event log each time I start SQL server. And SETSPN -L Myserver
> > returnd "object not found"
> >
> >
> >
> > regards,
> >
> >
> >
> > Eric
> >
> >
> >
> > "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
> > news:Oq#8lw3KDHA.456@TK2MSFTNGP12.phx.gbl...
> > > Below is my stock answer to this but the bits that are
> > > probably most useful to you are checking the name
> > > resolution and enabling kerberos logging on the server(s)
> > > and client (you don't need to do it on the DC). The KDC
> > > error will help in troubleshooting the problem
> > >
> > >
> > > It can be a serious PITA and yes the various docs are confusing :-)
> > > First of all I wouldn't use setspn, I tend to use ADSI Edit
> > > It's in the 2k support tools on any 2k server CD. However if you
> > > want to use setspn then the syntax is :
> > >
> > > setspn -A MSSQLSvc/SQLNLB02.DOMSQL.COM:1433 NLBSQL02Svc
> > >
> > > This is for a server called SQLNLB02 in the domain DOMSQL.COM
> > > with a SQL Service account of DOMSQL\NLBSQL02Svc
> > >
> > > You must also be able from the client to resolve the FQDN of the
servers
> > > involved using ping -a servername i.e. it must return
> > >
> > > Pinging SQLNLB02.DOMSQL.COM [xxx.xxx.xxx.xxx]
> > >
> > > and not
> > >
> > > Pinging SQLNLB02 [xxx.xxx.xxx.xxx]
> > >
> > >
> > > Regardless of what anything else says, you just need to set up SPN's
> > > for the service accounts of the two SQL Servers involved. e.g.
> > >
> > > I have 2 servers and 2 service accounts as below
> > >
> > > Server1 : SQLNLB01
> > > ServiceAccount : NLBSQL01Svc
> > >
> > > Server2 : SQLNLB02
> > > ServiceAccount : NLBSQL02Svc
> > >
> > > Using ADSI Edit right click on the NLBSQL01Svc in the Users
> > > container and choose Properties.In the select a property to view
> > > listbox choose servicePrincipalName and then add a SPN like so
> > >
> > > MSSQLSvc/SQLNLB01.DOMSQL.COM:1433
> > >
> > > (where the FQDN of the server is the server that uses the account
> > > I'm editing as it's SQL Service account). Do the same for the second
> > > server and you should be up and running.
> > >
> > > What I find really useful is enabling Kerberos logging on all the
> > > computers involved. This will write to the event log and you'll be
> > > able to see exactly why it's failing. .
> > >
> > > To enable Kerberos logging look at
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;262177
> > >
> > > If you've got AD set up then it's generally a malformed SPN or
> > > poor name resolution (make sure you can ping -a the server IP
> > > addresses and get back a FQDN and not just a server name)
> > >
> > > This article also has some good stuff about Kerberos and SSPI
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;811889
> > >
> > > and this one lists some of the kerberos errors you might see
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;230476
> > >
> > > --
> > > HTH
> > >
> > > Jasper Smith (SQL Server MVP)
> > >
> > > I support PASS - the definitive, global
> > > community for SQL Server professionals -
> > > http://www.sqlpass.org
> > >
> > > "lakusha@excite.com" <Lakusha@excite.com> wrote in message
> > > news:OhxhCB3KDHA.2216@TK2MSFTNGP12.phx.gbl...
> > > >
> > > > More info:
> > > >
> > > > We managed to set the SPN with adsiedit, but it still doesn't work.
> > > >
> > > >
> > > > "Lakusha" <Lakusha@excite.com> wrote in message
> > > > news:e5lwwdqKDHA.2052@TK2MSFTNGP11.phx.gbl...
> > > > >
> > > > > I can't create a SPN for SQL. The setspn.exe utility simply
doesn't
> > > > return
> > > > > anything. No error, no message. I've tried most tips found in this
> > news
> > > > > group and in the KB.
> > > > >
> > > > > Context:
> > > > >
> > > > > Server is using TCP/IP in a win2k domain with AD
> > > > > SQL service is running with a domain account
> > > > > Both the account & the computer have are trusted for delegation in
> AD
> > > > > The account have "Password Never Expires"
> > > > >
> > > > > I tried:
> > > > >
> > > > > a) SETSPN -A MSSQLSvc/MyServer.MyCompany.com:1433 domainAccount
> > > > >
> > > > > b) SETSPN -A MSSQLSvc/MyServer.MyCompany.com:1433
> > > MyCompany\domainAccount
> > > > >
> > > > > ...and many other variations.
> > > > > I used the Kerberos tray to purge/refresh tickets. I tried
> registering
> > > sql
> > > > > in AD. I tried too many things to list here. Many (most?) people
> seem
> > to
> > > > > solve the problem by using a domain admin account but this is not
a
> > good
> > > > > option here.
> > > > >
> > > > > SETSPN simply doesn't return anything. Anybody have an idea what
can
> > be
> > > > > wrong or how to debug it?
> > > > >
> > > > > I also tried adsiedit, but I'm not familiar with it and could not
> find
> > > the
> > > > > user container. I found a user "folder" but it was empty.
> > > > >
> > > > > ps: the only thing not tried yet is to enable logging of kerberos
> > events
> > > > > since this also needs to be done on the DC and can affect its
> > > performance.
> > > > >
> > > > >
> > > > >
> > > > > any help will be appreciated.
> > > > >
> > > > > Eric
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Jasper Smith: "Re: SetSPN problem"
- Previous message: Carlos Eduardo Rojas: "Re: Does PUBLIC override user-defined roles?"
- In reply to: Jasper Smith: "Re: SetSPN problem"
- Next in thread: Jasper Smith: "Re: SetSPN problem"
- Reply: Jasper Smith: "Re: SetSPN problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
