Re: SSPI Context
From: Jasper Smith (jasper_smith9_at_hotmail.com)
Date: 08/23/05
- Previous message: jaylou: "Amendment to question."
- In reply to: DylanM: "Re: SSPI Context"
- Next in thread: DylanM: "Re: SSPI Context"
- Reply: DylanM: "Re: SSPI Context"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Aug 2005 22:04:37 +0100
We tend to find they cause more trouble than they're worth and I'd actually
advise you delete any SPN's for the server/service account unless you
specifically need to be able to delegate. SSPI errors are generally SPN or
DNS related. A workaround is to connect using Named Pipes as only TCP/IP is
affected by these errors.
-- HTH Jasper Smith (SQL Server MVP) http://www.sqldbatips.com I support PASS - the definitive, global community for SQL Server professionals - http://www.sqlpass.org "DylanM" <DylanM@discussions.microsoft.com> wrote in message news:A2FBA6C8-3F82-40AB-A19F-00D3633502D8@microsoft.com... > Thanks for reply Jasper. > > I've just tried to set it to the domain account using EM, the SPN that was > previously listed is no longer there but I get SSPI Context errors again. > > Is this something I should just leave to the AD administrators to fix? > From > what i read of the 'troubleshooting SSPI' and related articles, it seemed > to > suggest one was nescessary.. > > 'If you run the SQL Server service under the LocalSystem account, the SPN > is > automatically registered and Kerberos interacts successfully with the > computer that is running SQL Server. However, if you run the SQL Server > service under a domain account or under a local account, the attempt to > create the SPN will fail in most cases because the domain account and > local > account do not have the right to set their own SPNs. When the SPN creation > is > not successful, this means that no SPN is set up for the computer that is > running SQL Server.' > > Would reference to this article (section adding an SPN to a SQL Server) be > the correct approach? > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_security_2gmm.asp > > Thanks again > > "Jasper Smith" wrote: > >> Because its the only one running under local system. A normal domain user >> account generally doesn't have the rights to create an SPN. They are not >> required for NT Authentication, the only time they are really required is >> if >> you want to implement Kerberos delegation for linked server calls. And >> you >> should always use EM to change the service account because it also needs >> to >> set file and registry permissions for SQL that doing it through services >> won't >> >> -- >> HTH >> >> Jasper Smith (SQL Server MVP) >> http://www.sqldbatips.com >> I support PASS - the definitive, global >> community for SQL Server professionals - >> http://www.sqlpass.org >> >>
- Previous message: jaylou: "Amendment to question."
- In reply to: DylanM: "Re: SSPI Context"
- Next in thread: DylanM: "Re: SSPI Context"
- Reply: DylanM: "Re: SSPI Context"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
