When connecting to sql server aoag using new dnn listener, authentication is by ntlmm. Is there a way to register spn for dnn like when using vnn so authentication method is kerberos.

Question

When connecting to sql server aoag using new dnn listener, authentication is by ntlmm. Is there a way to register spn for dnn like when using vnn so authentication method is kerberos.

Karl Layland 0

Sql 2019 aoag using dnn listener. Cannot get kerberos authentication

Seeya Xi-MSFT 16,586 Reputation points

2023-02-27T05:57:31.7133333+00:00

Hi @Karl Layland ,

We haven't heard from you yet. Can I ask if there is any update on this issue now? If you find the answer helpful, you can mark it.

1 answer

Your answer

Seeya Xi-MSFT 16,586 Reputation points

2023-02-27T05:57:31.7133333+00:00

Hi @Karl Layland ,

We haven't heard from you yet. Can I ask if there is any update on this issue now? If you find the answer helpful, you can mark it.

Answer 1

Seeya Xi-MSFT 16,586

Hi @Karl Layland ,

There are a few things you can check:

Verify that the SQL Server instances in the AOAG are running under a domain account, not a local account. Kerberos authentication requires domain accounts.

Ensure that the service principal names (SPNs) are correctly registered for the SQL Server instances and the DNN listener in Active Directory. You can use the "setspn" command-line tool to register SPNs.

Please refer to this MS blog:

https://techcommunity.microsoft.com/t5/sql-server-support-blog/searching-for-duplicate-spn-s-got-a-little-easier/ba-p/315651

Also, there is a useful tool for you: Microsoft® Kerberos Configuration Manager for SQL Server®

Best regards,

Seeya

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Karl Layland 0 Reputation points

2023-02-23T07:49:13.19+00:00

Just to provide more detail, I am using gmsa for sql service accounts, I have spns registered in gmsa. kerberos auth works OK when connecting directly to sql servers but not when using dnn listener. I had no problem registering a vnn spn for listener, and kerberos auth works. But same doesn't work with a dnn listener. Hope that explains my scenario.
Seeya Xi-MSFT 16,586 Reputation points

2023-02-24T09:19:14.4966667+00:00

Hi,

With no errors in SPN, the local connection will use NTLM and the remote connection will use Kerberos. I tested this in my environment.

Are you connecting a listener on a node?
Karl Layland 0 Reputation points

2023-02-27T15:33:50.96+00:00

Hi Seeya, thanks for looking into this.

Yes am connecting using a DNN listener from remote server. (not local). I have added a second listener, this time a VNN and I am able to get kerberos authentication by adding SPN like this:

setspn -A MSSQLSvc/vnnlsnr.AZ.COM:1433 "WINSQL2019Z"

setspn -A MSSQLSvc/vnnlsnr.AZ.COM "WINSQL2019Z"

However for DNN I have tried same for registration:

setspn -A MSSQLSvc/dnnlsnr.AZ.COM:6789 "WINSQL2019Z"

setspn -A MSSQLSvc/dnnlsnr.AZ.COM "WINSQL2019Z"

But still getting NTLM Auth when connecting using "dnnlsnr,6789" ?

tutorial I followed:

https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-distributed-network-name-dnn-listener-configure?view=azuresql

Thanks

Share via

When connecting to sql server aoag using new dnn listener, authentication is by ntlmm. Is there a way to register spn for dnn like when using vnn so authentication method is kerberos.

1 answer

Your answer