Re: SPN Requirement

From: Sue Hoegemeier <Sue_H@xxxxxxxxxxxxx>
Date: Fri, 29 Sep 2006 05:34:14 -0600

Kerberos needs an SPN so if you want to use Kerberos, you'd
need to have an SPN. Kerberos is more secure than NTLM.
Additionally, some OS features such as delegation require
Kerberos. In the SQL world, delegation is needed when using
linked servers with Windows Authentication. You can pass
Kerberos tickets to the other server for authentication.
Without this you would authenticate with NTLM where the
credentials can't be passed from server to server and you
run into the "double hop" issue.
You register an SPN using the setspn utility. You can find
information on the utility at:
http://technet2.microsoft.com/WindowsServer/en/Library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true

You can find a good overview of SQL Server and Kerberos at:
http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

-Sue

On Thu, 28 Sep 2006 12:11:01 -0700, Brett S.
<BrettS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I need to know how and why to create an SPN for a default instance onf
SQl2005. Does it have anything to do with Active Directory? I want to use
kerberos or NTLM authentication.

Thanks

Follow-Ups:
- Re: SPN Requirement
  - From: Erik Bo Sørensen

Prev by Date: Re: Rights needed to restore DB
Next by Date: SQL2005: Security Design Question
Previous by thread: Re: Rights needed to restore DB
Next by thread: Re: SPN Requirement
Index(es):
- Date
- Thread

Relevant Pages

Re: Kerberos Authentication to VWMare...
... A Kerberos Error Message was received: ... Server Realm: ... We have checked the SPN using SetSPN with -L option and see that both MOSS ...
(microsoft.public.windows.server.security)
Re: Integrated Windows Authentication Timeout?
... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Delegation: IIS Server setup in typical 3-tier scenario.
... doesn't already have an SPN and/or you need to change the existing SPN. ... Kerberos is being used - it just means that an API is used to determine what ... so I'm trying to set up delegation. ... Authenticated using NTLM not Kerberos on the Web Server. ...
(microsoft.public.inetserver.iis.security)
Re: Kerberos to NTLM???
... It is by design if Kerberos authentication fails, ... Windows 2000 and 2003 domain controllers support Kerberos and NTLM ... 2-way trust between 2 Windows Server 2003 domains. ...
(microsoft.public.windows.server.networking)
Re: Kerberos NTLM
... I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. ... you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). ... Joseph T. Corey MCSE, Security+ ...
(microsoft.public.windows.server.active_directory)