Re: SetSPN problem
lakusha_at_excite.com
Date: 06/09/03
- Next message: John Bell: "Re: Slammer"
- Previous message: Jasper Smith: "Re: SetSPN problem"
- In reply to: Jasper Smith: "Re: SetSPN problem"
- Next in thread: lakusha_at_excite.com: "Re: SetSPN problem"
- Reply: lakusha_at_excite.com: "Re: SetSPN problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 Jun 2003 13:25:36 -0400
Both PING resolve to Myserver.Mydomain.com
Yes, I think I'll have to open a case with MS. Thank you.
Have a nice day.
Eric
"Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
news:#aBSifqLDHA.2228@tk2msftngp13.phx.gbl...
> You're right on the first KDC error, it's due to name resoloution
>
> MSSQLSvc/MyServer:1433@MyDomain.COM
>
> it should be trying to find
>
> MSSQLSvc/MyServer.MyDomain.COM:1433
>
> what do you get for ping -a MyServer and ping -a ServerIPaddress ?
>
> It should resolve to MyServer.MyDomain.COM rather than anything
> else. The format it's in at the moment looks like the alternative logon
> type format where you can logon as joe@domain.com rather than
> domain\joe but I can't say that I've either used that format or know
> much about it. As to the second error, I've not seen that before and
> would guess that Win2k3 is the cause. Delegation is more finely
> controllable than on Windows 2000 so it definately has changed but
> I've not used delegation in a Win2k3 environment yet so I'm afraid
> I can't offer much help on that. If you're convinced the domain, name
> resolution,accounts etc are all setup then I'd suggest contacting MS
> support to get some definitive help. Sorry that's not much use.
>
> --
> HTH
>
> Jasper Smith (SQL Server MVP)
>
> I support PASS - the definitive, global
> community for SQL Server professionals -
> http://www.sqlpass.org
>
> "lakusha@excite.com" <Lakusha@excite.com> wrote in message
> news:%230F8d9pLDHA.3664@tk2msftngp13.phx.gbl...
> Thank Jasper, I really appreciate your help. English is not my primary
> language, so don't hesitate to ask for clarifications.
>
> The first problem is simply when starting the SQL service:
>
> 1. SuperSocket info: ConnectionListen(Shared-Memory (LPC)) : Error 5.
>
> followed by
>
> 2. SuperSocket info: (SpnRegister) : Error 8344.
>
>
> I know that error 8344 is a warning because the sql server service account
> didn't have enough permission to create it's SPN in AD. If I use a domain
> admin account it disappears. The account that fails is trusted for
> delegation and have a valid SPN (MSSQLSvc/server.domain.com:1433).
>
> I also have some errors I can't explain in the logs. I tried with 2
> different servers but the errors aren't the same. They both have the error
> 8344 when starting the service.
>
> A) Server A (win2k adv Server)
>
> I get this error on the server & the client:
>
>
> The function InitializeSecurityContext received a Kerberos Error Message:
> on logon session
> Client Time:
> Server Time: 15:28:50.0000 6/9/2003 (null)
> Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
> Client Realm:
> Client Name:
> Server Realm: MyDomain.COM
> Server Name: krbtgt/MyDomain.COM
> Target Name: MSSQLSvc/MyServer:1433@MyDomain.COM
> Error Text:
> File:
> Line:
> Error Data is in record data.
>
> I think I understand this one: it doesn't find the SPN (but it should!).
> I haven't tried this syntax: MSSQLSvc/MyServer:1433@MyDomain.COM as this
is
> the only place I've seen it.
>
> B) Server B (win2k3 server)
> A Kerberos Error Message was received:
> on logon session
> Client Time:
> Server Time: 14:26:11.0000 6/9/2003 Z
> Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
> Extended Error:
> Client Realm:
> Client Name:
> Server Realm: MyDomain.COM
> Server Name: krbtgt/MyDomain.COM
> Target Name: host/MyServer.MyDomain.com@MyDomain.COM
> Error Text:
> File: 9
> Line: ab8
> Error Data is in record data.
>
> Is there a new encryption scheme with Win2k3 that is not supported by
> Win2k?? I found nothing to support this and the documentation on this
error
> is scarce.
>
>
>
> regards,
>
>
>
> Eric
>
>
>
>
> "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
> news:e4QZ1WILDHA.2236@TK2MSFTNGP09.phx.gbl...
> > If you can post the KDC error(s) from the client/server
> > I can have a look. I've spent a long time hitting my head
> > against a brick wall trying to get this to work on various
> > servers but I am fairly happy that it works as intended it
> > just seems to be a complete PITA to set up sometimes.
> >
> > --
> > HTH
> >
> > Jasper Smith (SQL Server MVP)
> >
> > I support PASS - the definitive, global
> > community for SQL Server professionals -
> > http://www.sqlpass.org
> >
> > "lakusha@excite.com" <Lakusha@excite.com> wrote in message
> > news:uj73HJGLDHA.1908@TK2MSFTNGP11.phx.gbl...
> > >
> > > Yes, I know. The problem is I CAN'T set it up with SETSPN and if I
> simply
> > > set it up with ADSIEDIT, it doesn't work. With kerberos loging enabled
I
> > > have a truck load of errors in the log.
> > >
> > > I renamed the server, I tried using a domain admin account (it worked
> and
> > > the SPN entry in AD is an exact match to what we used with the normal
> > domain
> > > account). I tried on another server (same errors).
> > >
> > > Next steps:
> > >
> > > 1. promote the account to domain admin and let it register itself and
> then
> > > demote it and see what happens (yeah, I'm desperate).
> > >
> > > 2. Call M$
> > >
> > > regards,
> > >
> > > Eric
> > >
> > > "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
> > > news:uZiSiaELDHA.1552@TK2MSFTNGP10.phx.gbl...
> > > > The SPN is on the service account object not the server
> > > > You will still get the SpnRegister error because the service
> > > > account will not have the permissions required to set it. This
> > > > is why you have to manually set it up. The only exceptions
> > > > are when SQL is run under Local System or the service
> > > > account is a member of domain administrators (neither of
> > > > which are a good idea from a security point of view)
> > > >
> > > > --
> > > > HTH
> > > >
> > > > Jasper Smith (SQL Server MVP)
> > > >
> > > > I support PASS - the definitive, global
> > > > community for SQL Server professionals -
> > > > http://www.sqlpass.org
> > > >
> > > > "lakusha@excite.com" <Lakusha@excite.com> wrote in message
> > > > news:Ozng0H6KDHA.2312@TK2MSFTNGP09.phx.gbl...
> > > > > My last post seem to have lost itself.
> > > > >
> > > > > Adding the SPN with ADSIEDIT works (users can login with trusted
> > > > > connections, but I'm not sure why;). But I still have
> > > > >
> > > > > SuperSocket info: (SpnRegister) : Error 8344.
> > > > >
> > > > >
> > > > >
> > > > > In the event log each time I start SQL server. And SETSPN -L
> Myserver
> > > > > returnd "object not found"
> > > > >
> > > > >
> > > > >
> > > > > regards,
> > > > >
> > > > >
> > > > >
> > > > > Eric
> > > > >
> > > > >
> > > > >
> > > > > "Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
> > > > > news:Oq#8lw3KDHA.456@TK2MSFTNGP12.phx.gbl...
> > > > > > Below is my stock answer to this but the bits that are
> > > > > > probably most useful to you are checking the name
> > > > > > resolution and enabling kerberos logging on the server(s)
> > > > > > and client (you don't need to do it on the DC). The KDC
> > > > > > error will help in troubleshooting the problem
> > > > > >
> > > > > >
> > > > > > It can be a serious PITA and yes the various docs are confusing
> :-)
> > > > > > First of all I wouldn't use setspn, I tend to use ADSI Edit
> > > > > > It's in the 2k support tools on any 2k server CD. However if you
> > > > > > want to use setspn then the syntax is :
> > > > > >
> > > > > > setspn -A MSSQLSvc/SQLNLB02.DOMSQL.COM:1433 NLBSQL02Svc
> > > > > >
> > > > > > This is for a server called SQLNLB02 in the domain DOMSQL.COM
> > > > > > with a SQL Service account of DOMSQL\NLBSQL02Svc
> > > > > >
> > > > > > You must also be able from the client to resolve the FQDN of the
> > > servers
> > > > > > involved using ping -a servername i.e. it must return
> > > > > >
> > > > > > Pinging SQLNLB02.DOMSQL.COM [xxx.xxx.xxx.xxx]
> > > > > >
> > > > > > and not
> > > > > >
> > > > > > Pinging SQLNLB02 [xxx.xxx.xxx.xxx]
> > > > > >
> > > > > >
> > > > > > Regardless of what anything else says, you just need to set up
> SPN's
> > > > > > for the service accounts of the two SQL Servers involved. e.g.
> > > > > >
> > > > > > I have 2 servers and 2 service accounts as below
> > > > > >
> > > > > > Server1 : SQLNLB01
> > > > > > ServiceAccount : NLBSQL01Svc
> > > > > >
> > > > > > Server2 : SQLNLB02
> > > > > > ServiceAccount : NLBSQL02Svc
> > > > > >
> > > > > > Using ADSI Edit right click on the NLBSQL01Svc in the Users
> > > > > > container and choose Properties.In the select a property to view
> > > > > > listbox choose servicePrincipalName and then add a SPN like so
> > > > > >
> > > > > > MSSQLSvc/SQLNLB01.DOMSQL.COM:1433
> > > > > >
> > > > > > (where the FQDN of the server is the server that uses the
account
> > > > > > I'm editing as it's SQL Service account). Do the same for the
> second
> > > > > > server and you should be up and running.
> > > > > >
> > > > > > What I find really useful is enabling Kerberos logging on all
the
> > > > > > computers involved. This will write to the event log and you'll
be
> > > > > > able to see exactly why it's failing. .
> > > > > >
> > > > > > To enable Kerberos logging look at
> > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;262177
> > > > > >
> > > > > > If you've got AD set up then it's generally a malformed SPN or
> > > > > > poor name resolution (make sure you can ping -a the server IP
> > > > > > addresses and get back a FQDN and not just a server name)
> > > > > >
> > > > > > This article also has some good stuff about Kerberos and SSPI
> > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;811889
> > > > > >
> > > > > > and this one lists some of the kerberos errors you might see
> > > > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;230476
> > > > > >
> > > > > > --
> > > > > > HTH
> > > > > >
> > > > > > Jasper Smith (SQL Server MVP)
> > > > > >
> > > > > > I support PASS - the definitive, global
> > > > > > community for SQL Server professionals -
> > > > > > http://www.sqlpass.org
> > > > > >
> > > > > > "lakusha@excite.com" <Lakusha@excite.com> wrote in message
> > > > > > news:OhxhCB3KDHA.2216@TK2MSFTNGP12.phx.gbl...
> > > > > > >
> > > > > > > More info:
> > > > > > >
> > > > > > > We managed to set the SPN with adsiedit, but it still doesn't
> > work.
> > > > > > >
> > > > > > >
> > > > > > > "Lakusha" <Lakusha@excite.com> wrote in message
> > > > > > > news:e5lwwdqKDHA.2052@TK2MSFTNGP11.phx.gbl...
> > > > > > > >
> > > > > > > > I can't create a SPN for SQL. The setspn.exe utility simply
> > > doesn't
> > > > > > > return
> > > > > > > > anything. No error, no message. I've tried most tips found
in
> > this
> > > > > news
> > > > > > > > group and in the KB.
> > > > > > > >
> > > > > > > > Context:
> > > > > > > >
> > > > > > > > Server is using TCP/IP in a win2k domain with AD
> > > > > > > > SQL service is running with a domain account
> > > > > > > > Both the account & the computer have are trusted for
> delegation
> > in
> > > > AD
> > > > > > > > The account have "Password Never Expires"
> > > > > > > >
> > > > > > > > I tried:
> > > > > > > >
> > > > > > > > a) SETSPN -A MSSQLSvc/MyServer.MyCompany.com:1433
> domainAccount
> > > > > > > >
> > > > > > > > b) SETSPN -A MSSQLSvc/MyServer.MyCompany.com:1433
> > > > > > MyCompany\domainAccount
> > > > > > > >
> > > > > > > > ...and many other variations.
> > > > > > > > I used the Kerberos tray to purge/refresh tickets. I tried
> > > > registering
> > > > > > sql
> > > > > > > > in AD. I tried too many things to list here. Many (most?)
> people
> > > > seem
> > > > > to
> > > > > > > > solve the problem by using a domain admin account but this
is
> > not
> > > a
> > > > > good
> > > > > > > > option here.
> > > > > > > >
> > > > > > > > SETSPN simply doesn't return anything. Anybody have an idea
> what
> > > can
> > > > > be
> > > > > > > > wrong or how to debug it?
> > > > > > > >
> > > > > > > > I also tried adsiedit, but I'm not familiar with it and
could
> > not
> > > > find
> > > > > > the
> > > > > > > > user container. I found a user "folder" but it was empty.
> > > > > > > >
> > > > > > > > ps: the only thing not tried yet is to enable logging of
> > kerberos
> > > > > events
> > > > > > > > since this also needs to be done on the DC and can affect
its
> > > > > > performance.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > any help will be appreciated.
> > > > > > > >
> > > > > > > > Eric
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
- Next message: John Bell: "Re: Slammer"
- Previous message: Jasper Smith: "Re: SetSPN problem"
- In reply to: Jasper Smith: "Re: SetSPN problem"
- Next in thread: lakusha_at_excite.com: "Re: SetSPN problem"
- Reply: lakusha_at_excite.com: "Re: SetSPN problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
