SQL SPNs for 2 Node AON Cluster with 2x Instances and custom Ports

SChalakov 10,571 Reputation points MVP
2024-05-30T08:00:27.4866667+00:00

Hi everybody,

I read so many different suggestions in different forums and blog artciles that it made me question my understanding about the proper SPN registration for SQL. I have a pretty standard setup:

2 Node Cluster consisting of:

  • Node1.domain.com
  • Node2.domain.com

2 SQL Instances on each node, which are configured in an AlwaysOn Availability Group:

  • Node1\Instance1 (SQL Account: Domain\Account1)
  • Node1\Instance2 (SQL Account: Domain\Account2)
  • Node 2\Instance1 (SQL Account: Domain\Account1)
  • Node2\Insatnce 2 (SQL Account: Domain\Account2)

2 Always On Availability groups:

  • Listener 1, Port 56611 (Instance 1)
  • Listener2, Port 56622 (Instance 2)

Can you please tell what the proper SPNs should look like for this particular case?

Many thanks in advance for your reply!

Regards,

Stoyan

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,339 questions
{count} votes

Accepted answer
  1. LucyChen-MSFT 5,060 Reputation points Microsoft Vendor
    2024-05-31T09:21:03.6366667+00:00

    Hi @SChalakov ,

    Thanks for your feedback!

    To be honest most of them even don't register an SPN for the listener, but do that for the nodes.

    You can check out this article, I believe in the official document.

    As the article I provided in my last answer, they all have the same view:

    We use SQL Listener to connect with the primary replica in SQL Server Always On. We should create SPN for each availability group SQL Listener. It enables the Kerberos authentication for the client connection. We should use the same SQL Service account for all Availability group replicas.

    Based on the current situation, your instance on the same node has different service accounts. (Feel sorry I didn't see it clearly for the first time)

    So, my suggestion is you can register SPN for the nodes.

    If you want to register an SPN on the Listener, you can try the method I provided in the last answer, and we can use –L parameter with the setspn command to list all available SPN associated with a service account. (If you want to try whether it works on the listener.)

    setspn -L <Domain\Service Account>
    

    In addition, hope this article can give you more ideas.

    NOTE: What version of SQL Server are you using? This tool may help you if your version is SQL Server 2008 R2 to 2019.

    Feel free to share your issues here if you have any confused.

    Best regards,

    Lucy Chen


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    https://docs.microsoft.com/en-us/answers/support/email-notifications

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. SChalakov 10,571 Reputation points MVP
    2024-05-31T09:03:58.2966667+00:00

    Hi Lucy,

    what about the SPNs of the individual nodes? I've seen so many examples where they state that the SPNs of the nodes need to be registered too?

    To be honest most of them even don't register an SPN for the listener, but do that for the nodes.

    i am really confused, seems there no two same opinions here...

    Regards,

    Stoyan

    1 person found this answer helpful.
    0 comments No comments

  2. LucyChen-MSFT 5,060 Reputation points Microsoft Vendor
    2024-05-31T03:44:25.49+00:00

    Hi @SChalakov ,

    Thanks for your information.

    Please ensure you are a domain admin if you want to register SPN.

    We need to use FQDN of SQL Listener along with listener port to configure SPN for SQL Server Always On.

    You have the availability group Listener 1, and all configured to run under the domain account Domain\Account. The listener is configured to run with port 56611.

    setspn -A MSSQLSvc/Listener 1.Domain.com:56611 Domain\Account
    

    You can check out this article to know more.

    Please feel free to share your issue here if you have any confused.

    Best regards,

    Lucy Chen


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our Documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    https://docs.microsoft.com/en-us/answers/support/email-notifications

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.