Re: SPN Requirement
- From: Erik Bo Sørensen <ErikBoSrensen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 10 Oct 2006 21:35:02 -0700
Dear Sue et al
Thank you Sue for translating the Error code (I’ll better find out how to
translate these myself – that could have saved me – and this newsgroup – a
lot of time).
Making SQLSrvRunas member of Domain Admin and restarting SQL Server -
"solved the problem".
As Sue point out, making the SQL Service account member of the domain
administrators group is of cause not an acceptable solution - and would be in
conflict with the Microsoft hardening recommendations for secure database
servers:
“Run the SQL Server service using a least privileged account to minimize the
damage that can be done by an attacker who manages to execute operating
system commands from SQL Server. The SQL Server service account should not be
granted elevated privileges such as membership to the Administrators group.”
I’ll look into the blog, Sue mentioned and will get back to conclude this
thread WHEN
I’m wiser!
Thanks again Sue for your time and effort spend and wise advises!
--
Best regards
Bo
"Sue Hoegemeier" wrote:
That does tell you more about the Event ID though. Error:.
0x2098 is "insufficient access rights to perform operation"
The service account for SQL Server needs to be a domain
admin or local system to register in AD at startup. As long
as you are have it correctly registered and are using a
static IP port, I would think you should be okay. I wouldn't
recommend changing the permissions for the service account -
too many security risks with doing that.The other thing I
remember is someone changing the permissions on the service
account to allow Write Public Information rights but I'd
suspect that's too many rights as well.
This blog has more information on what you are seeing:
http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx
-Sue
On Tue, 10 Oct 2006 11:56:02 -0700, Erik Bo Sørensen
<ErikBoSrensen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Dear Sue et al
I haven't (yet) done any research for KDC error codes - I thought that to be
less relevant as the Application Log Event 26037:
Event Type: Information
Event Source: MSSQL$WEBPROD
Event Category: (2)
Event ID: 26037
Date: 10-10-2006
Time: 20:44:52
User: N/A
Computer: SQL01
Description:
The SQL Network Interface library could not register the Service Principal
Name (SPN) for the SQL Server service. Error: 0x2098. Failure to register an
SPN may cause integrated authentication to fall back to NTLM instead of
Kerberos. This is an informational message. Further action is only required
if Kerberos authentication is required by authentication policies.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b5 65 00 00 0a 00 00 00 µe......
0008: 0e 00 00 00 53 00 51 00 ....S.Q.
0010: 4c 00 30 00 31 00 5c 00 L.0.1.\.
0018: 57 00 45 00 42 00 50 00 W.E.B.P.
0020: 52 00 4f 00 44 00 00 00 R.O.D...
0028: 00 00 00 00 ....
Indicates, that NTLM will be used instead of Kerberos.
“I’ll be back”
(I tried to register MSSQLSvc/<ServerName>\<InstanceName> - but that didn’t
help at all …)
- Follow-Ups:
- Re: SPN Requirement
- From: Sue Hoegemeier
- Re: SPN Requirement
- References:
- Re: SPN Requirement
- From: Sue Hoegemeier
- Re: SPN Requirement
- From: Erik Bo Sørensen
- Re: SPN Requirement
- From: Sue Hoegemeier
- Re: SPN Requirement
- From: Erik Bo Sørensen
- Re: SPN Requirement
- From: Erik Bo Sørensen
- Re: SPN Requirement
- From: Sue Hoegemeier
- Re: SPN Requirement
- From: Erik Bo Sørensen
- Re: SPN Requirement
- From: Sue Hoegemeier
- Re: SPN Requirement
- Prev by Date: Re: Login Failure
- Next by Date: RE: Is There A Simple Way To Drop All Permissions Of A Role
- Previous by thread: Re: SPN Requirement
- Next by thread: Re: SPN Requirement
- Index(es):
Relevant Pages
|
