How to register SPN for a non-service account which is used for cross-forest/domain lookups in SharePoint to enable Kerberos authentication?

Lingli Zhang (Beyondsoft) 0 Reputation points Microsoft Vendor
2023-07-12T05:38:04.9966667+00:00

Hi Everyone,

We are working on registering SPN for a non-service account which is used for cross-forest/domain lookups in SharePoint to enable Kerberos authentication. However, as far as we know, only service accounts can register an SPN, right?

If so, is there any other way to enable Kerberos authentication for such non-service account which is used for cross-forest/domain lookups in SharePoint?

Thanks

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,147 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,259 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,155 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Emily Du-MSFT 39,366 Reputation points Microsoft Vendor
    2023-07-13T10:21:21.7366667+00:00

    A Service Principal Name (SPN) must be registered for the SQL Server service account in order for Kerberos authentication to work. When the Database Engine service starts, it attempts to register the Service Principal Name (SPN).

    And there is no other way to enable Kerberos authentication for non-service account.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.