Partager via

The SQL Network Interface library was unable to register SPN

  • Article

The SQL Network Interface library was unable to register SPN.

Problem

In the SQL Server error log you got the following message:

The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

To understand the error you can transcribe the error message 0x2098 in a more readable.

ERROR_DS_INSUFF_ACCESS_RIGHTS

8344 (0x2098)

Insufficient access rights to perform the operation.

This error message indicates that the service account SQL server does not have sufficient rights to register the SPN.

Cause

SPNs are used by the Kerberos authentication protocol. If the account of the proceeding is known, the Kerberos authentication can be used to provide mutual authentication by the client and server. If the account of the proceedings is not known, NTLM authentication, which provides only authentication of the client by the server is used.

If you run SQL Server under the LocalSystem account, the SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. So Kerberos interacts successfully with the server running SQL Server.

However, if you run SQL Server under a domain account or a local account, the attempt to create the SPN may fail. When creating the service principal name fails, this means that no SPN is set for the service that is running SQL Server.

Solution

Therefore, you must implement a solution to that the SPN is created for your SQL Server instance where you want to use the Kerberos protocol.

Method 1 : The method recommended by Microsoft Support. You can give in Active Directory rights below to the service account of SQL Server:
- Read servicePrincipalName
- Write servicePrincipalName

Method 2 : You can also give him the rights manually using the tool SetSPN.(https://msdn.microsoft.com/fr-fr/library/cc280459.aspx )

For SQL server Standalone

SetSPN -A MSSQLSvc/<ComputerName>.<DomainName>:<port> <AccountName>

So for a multi-server instance you must configure the SPN for each instance, for each instance of SQL Server usefulness port TCP / IP only. For the port of the proceeding open SQL Server Configuration Manager>> Right click the instance>> TCP / IP protocol (default port)

Pour un cluster

SetSPN -A MSSQLSvc/<virtualName>.<DomainName>:<port> <AccountName>
SetSPN -A MSSQLSvc/<virtualName>.<DomainName> <AccountName>

For an instance of SQL Server cluster, you must use the FQDN of the virtual SQL server. You must also configure the SPN with a port and a second SPN without the port.

Verification

Then you can confirm that the operation went smoothly with the following command:
SetSPN -L <AccountName>

SQL server side to check, you can use the DMV sys.dm_exec_connections with the column auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
If kerberos is used, you should see "KERBEROS".

Documentation

The SQL Network Interface library was unable to register SPN.

Problème

Dans les Error Logs SQL serveur vous obtenez le message d'erreur suivant :

**

La bibliothèque SQL Network Interface Impossible d'inscrire le nom principal service (SPN) pour le service SQL Server. Erreur : 0x2098. Échec d'inscrire un nom principal de service peut entraîner intégrée l'authentification revenir à NTLM au lieu de Kerberos. Ceci est un message d'information. Action supplémentaire n'est obligatoire si Kerberos authentification est requise par les stratégies d'authentification.

Pour comprendre l'erreur vous devez transcrire le message d'erreur 0x2098. Vous pouvez :

ERROR_DS_INSUFF_ACCESS_RIGHTS

8344 (0x2098)

Insufficient access rights to perform the operation.

Ce message d'erreur indique que le compte de service SQL server n'a pas les droits suffisants pour enregistrer les SPN. 

Cause

Les SPN sont utilisés par le protocole d'authentification Kerberos. Si le compte de l'instance est connu, l'authentification Kerberos peut être utilisée pour fournir une authentification mutuelle par le client et le serveur. Si le compte de l'instance n'est pas connu, l'authentification NTLM, qui fournit uniquement une authentification du client par le serveur, est utilisée.

Si vous exécutez le service SQL Server sous le compte LocalSystem, le nom principal de service est généralement enregistré car SQL s'enregistre avec le compte machine qui dispose du droit de créer un SPN par défaut. Kerberos interagit correctement avec le serveur qui exécute SQL Server.

Cependant, si vous exécutez le service SQL Server sous un compte de domaine ou un compte local au que le compte localsystem, la tentative de création du nom principal de service peut échouer. Lorsque la création du nom principal de service échoue, cela signifie qu'aucun nom principal de service n'est configuré pour le service qui exécute SQL Server.

Résolution

Par conséquent, vous devez mettre en œuvre une solution pour que le SPN soit créé pour votre instance SQL Server lorsque vous souhaitez utiliser le protocole Kerberos.

Méthode 1 : La méthode recommandée par le Support Microsoft. Vous pouvez donner dans Active Directory les droits ci-dessous au compte de service SQL Server :
- Read servicePrincipalName
- Write servicePrincipalName

Méthode 2 : Vous pouvez aussi créer le SPN manuellement avec l'outil SetSPN.(https://msdn.microsoft.com/fr-fr/library/cc280459.aspx )

Pour un SQL server Standalone

SetSPN -A MSSQLSvc/<ComputerName>.<DomainName>:<port> <AccountName>

Pour un serveur multi instance vous devez configurer le Server Principal Name (SPN) pour chaque instance, car chaque instance de SQL Server utilise un port TCP unique. Pour obtenir le port de l'instance ouvrez SQL Server Configuration Manager >> Clic droit sur l'instance >> TCP/IP protocole (default port)

Pour une instance virtuelle  (cluster en cluster)

SetSPN -A MSSQLSvc/<virtualName>.<DomainName>:<port> <AccountName>
SetSPN -A MSSQLSvc/<virtualName>.<DomainName> <AccountName>

Pour une instance SQL server en cluster, vous devez utiliser le FQDN du server SQL virtuel. Vous devez configurer le Service Principal Name (SPN) premièrement en spécifiant un port puis un second SPN sans  port.

Vérification

Ensuite vous pouvez confirmer que l'opération s'est bien déroulé avec la commande suivante :
SetSPN -L <AccountName>

Coté SQL server, vous pouvez utiliser la DMV sys.dm_exec_connections avec la colonne auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Si kerberos est utilisé, vous devriez voir "KERBEROS".

Documentation

 

The SQL Network Interface library was unable to register SPN.

Problema

En las contrapartes de error de SQL Server recibe el mensaje de error siguiente:

La biblioteca SQL Network Interface no se pudo registrar el nombre principal de servicio (SPN) para el servicio de SQL Server. Error: 0x2098. Un error al registrar un SPN puede producir la autenticación integrada se retrocede a NTLM en lugar de Kerberos. Se trata de un mensaje informativo. Acción más sólo es necesario si se requiere autenticación por directivas de autenticación de Kerberos.

 

Para entender el error que transcribir el mensaje de error 0x2098 de una forma más legible. Usted puede:

ERROR_DS_INSUFF_ACCESS_RIGHTS

8344 (0x2098)

Insufficient access rights to perform the operation.

Este mensaje de error indica que el servidor de cuenta de servicio de SQL no tiene suficientes derechos para registrar el SPN.

Causa

SPN son utilizados por el protocolo de autenticación Kerberos. Si se sabe que la cuenta del procedimiento, la autenticación Kerberos puede ser utilizado para proporcionar autenticación mutua entre el cliente y el servidor. Si la cuenta de las actuaciones no se conoce, la autenticación NTLM, que proporciona sólo la autenticación del cliente por el servidor, se utiliza.

Si ejecuta SQL Server en la cuenta LocalSystem, el SPN se registra automáticamente como SQL registrarse en la cuenta de equipo que tiene el derecho a crear un defecto de SPN. Así Kerberos interactúa correctamente con el servidor que ejecuta SQL Server.

Sin embargo, si ejecuta SQL Server bajo una cuenta de dominio o una cuenta local, el intento de crear el SPN puede fallar. Al crear el nombre principal de servicio falla, esto significa que no SPN se establece para el servicio que se ejecuta SQL Server.

Resolución

Por lo tanto, debe implementar una solución para que el SPN se crea para la instancia de SQL Server donde desea utilizar el protocolo Kerberos.

Método 1 : El método recomendado por el Soporte Microsoft. Usted puede dar en el Directorio Activo de derechos por debajo de la cuenta de servicio de SQL Server :
- Read servicePrincipalName
- Write servicePrincipalName

Método 2 : También puede darle los derechos de forma manual utilizando la herramienta de

SetSPN.(https://msdn.microsoft.com/fr-fr/library/cc280459.aspx )

Para un SQL server Standalone

SetSPN -A MSSQLSvc/<ComputerName>.<DomainName>:<port> <AccountName>

Así que para una instancia de servidor de múltiples debe configurar el SPN para cada instancia, para cada instancia de SQL Server utilidad uno  port TCP / IP. Para obtener el puerto del  instancia abierto SQL Server Configuration Manager>> Haga clic en la instancia>> protocolo TCP / IP (puerto por defecto)

Para un clúster

SetSPN -A MSSQLSvc/<virtualName>.<DomainName>:<port> <AccountName>
SetSPN -A MSSQLSvc/<virtualName>.<DomainName> <AccountName>

De una instancia de clúster de SQL Server, debe utilizar el nombre completo del servidor virtual SQL. También debe configurar el SPN con un puerto y un SPN segundo sin el puerto.

Verificación

Entonces usted puede confirmar que la operación se desarrolló sin problemas con el siguiente comando:
SetSPN -L <AccountName>

Del lado del servidor SQL para la verificación, puede utilizar el  DMV sys.dm_exec_connections  con la columna auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Si se utiliza Kerberos, debería ver "KERBEROS".

Documentación

How to: Enable Kerberos Authentication on a SQL Server Failover Cluster
https://msdn.microsoft.com/en-us/library/ms189585(SQL.90).aspx

Registering a Service Principal Name
https://msdn.microsoft.com/en-us/library/ms191153.aspx

How to configure SQL Server 2005 Analysis Services to use Kerberos authentication
https://support.microsoft.com/kb/917409

How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005
https://support.microsoft.com/kb/909801

You cannot start the SQL Server Agent service of a failover cluster of SQL Server 2005 if the build of SQL Server is 3179 or a later build
https://support.microsoft.com/kb/943525

Registering Kerberos Service Principal Names
https://msdn2.microsoft.com/en-us/library/ms178119.aspx

How to Configure the Service Principal Name
https://msdn.microsoft.com/en-us/library/ms942980.aspx

How to troubleshoot the "Cannot generate SSPI context" error message
https://support.microsoft.com/kb/811889

Enable Kerberos authentication for virtual servers
https://technet.microsoft.com/en-us/library/cc780918.aspx

How to: Enable Kerberos Authentication on a SQL Server Failover Cluster
https://msdn.microsoft.com/en-us/library/ms189585(SQL.90).aspx

Best practices for configuring and operating server clusters
https://technet.microsoft.com/en-us/library/cc785714.aspx

How to use Kerberos authentication in SQL Server
https://support.microsoft.com/kb/319723/en-us

Michel Degremont | Microsoft EMEA
Product Support Services Developer - SQL Server Core Engineer |

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    December 06, 2011
    how to give the rights, is it in Active Directory or SQL server or Windows Server? You can give in Active Directory rights below to the service account of SQL Server:
  • Read servicePrincipalName
  • Write servicePrincipalName
  • Anonymous
    April 08, 2014
    Giving going to be the Gift relating to going to be the Pen Drive


    A corpora nike free run te birthday present could be the a welcome littl nike free run e bonus as well as between workers,nike free run,this is why and state of mind this is exactly
  • Anonymous
    April 24, 2014
    for no reason someone else's. and and consequently it's necessary fo Chaussures nike air max 90 r additional details on consid Chaussures Nike Free Run 3 er getting tennis shoes that leave breathing room as well as your you for those times when they can
  • Anonymous
    April 25, 2014
    then there are the sneakers and going to be the mountaineering a pair Nike Free run and Nike air max of boots made specially too going to be the use e nike free run verywhere in the sports,right now at least canvas with safety in mind to do with clothes
  • Anonymous
    April 25, 2014
    The comment has been removed
  • Anonymous
    April 25, 2014
    to have and there quality Nike Free Run .
    : then all your family members have can come to educate yourself regarding Nike Free run and Nike air max going to be the entirely site. Fabric jogging shoes will want to receive approached much in the way a
  • Anonymous
    April 25, 2014
    a lot of unique shapes and sizes available Chaussures Nike Free Run 3 plus in Papillio Women Shoes a Chaussures nike air max 90 t this available on the internet store. Furthermore, A chunk of property having to do with it is certainly plausible are searching
  • Anonymous
    April 25, 2014
    between support and movement Cheap Nike Running You definitely have to worry about rarely want a mult Nike Free | Nike Air Max i function sporting goods that not only can they weigh you down.Basketball soccer drills for kids are an absolute must have
  • Anonymous
    April 26, 2014
    The comment has been removed
  • Anonymous
    April 26, 2014
    as described beyond People always Chaussures nike air max 90 Air max 90 homme comment about easiest way skirt border in order to completely and down, A lot relating to we all have made a decision to learn more about play this sp Air max 90 femme ort never
  • Anonymous
    April 27, 2014
    or at least Air Nike Free Run 3 Max Series.
    you'll also find c Air max 90 femme ost your family much more thant $150 at local stores,Nike Free Run 3,going to be the a fast boat at the Air max 90 homme se all all your family members are training, Every
  • Anonymous
    April 27, 2014
    you not only can they some make an appointment with a great deal Air max 90 homme more of going to be the innovations all Chaussures nike air max 90 over the construct and material selection was able to find among Guess watches. Most it is certainly plausible
  • Anonymous
    April 29, 2014
    It very even more difficult for additional details on visit their available on t cheap nike running leggings h nike free run 3 review e web store if you don't have finding an all in one number items that your family want to get straight away! and Il bet
  • Anonymous
    May 02, 2014
    If going to be the footwear usually are you put them on at Nike Free run and Nike air max going to be the office all day,Nike Free run and Nike air max,exceed cheap nike running trainers ing The stores have already been adorned so that you have banners
  • Anonymous
    May 02, 2014
    Bo Nike Free Run 3 th games may be played Sunday, Approximate tipoff time is that often 6pm fo Chaussures Nike Free Run 3 r going to be the before anything else game to have the second game to learn more about follow. The idea is always that for more
  • Anonymous
    May 03, 2014
    Pirelli,Nike Free Run 3, Elvstrom.
    and to Asian f Nike Free Run 3 ashion is the fact that increasingly p Air max 90 homme opular throughout the going to be the global market. These fashions instantly make a wearer part having to do with an identifiable
  • Anonymous
    May 03, 2014
    but take heart is the reaso Air max 90 homme n that really a bit 'more relaxed at going to be the same time leaving many Chaussures nike air max 90 comfort preferences and budget. In addition, Of course For an example i am going to have you any idea my
  • Anonymous
    May 03, 2014
    Nike Free | Nike Air Max baseball and soccer everywhere over the 24 hours a mult Nike Air Max i functional day! Baseball would be the fact a minumum of one of going to be the go above and beyond sports considering they are played as part of your United
  • Anonymous
    May 03, 2014
    The comment has been removed
  • Anonymous
    May 04, 2014
    but take heart also look a lot better These nike free run athletic shoes can be the case ordered avai Nike Free | Nike Air Max lable on the web a number of us at no time get marketing campaign able for additional details on get away back and forth from
  • Anonymous
    May 04, 2014
    The comment has been removed
  • Anonymous
    May 04, 2014
    There 're so many v Cheap Nike Running arieties avai cheap nike running clothes lable in your athletic shoes as well as for a man and lots of women as part of your market These available on the web stores bring they all are popular brands.all your family
  • Anonymous
    May 04, 2014
    shapes, females.
    -- When element comes to you for more information regard Chaussures Nike Free Run 3 ing handbags,Chaussures Nike Free Run 3,but take heart because it rea Chaussures nike air max 90 ches one historical earning you money all over the
  • Anonymous
    May 04, 2014
    your family will consider getting something that really suits your requirem Chaussures nike air max 90 ents best.all your family members can have a multi function little a good time Chaussures Nike Free Run 3 doing going to be the project,Chaussures nike
  • Anonymous
    May 04, 2014
    and that all Nike Free | Nike Air Max your family members are receiving your purchase back and forth from a reputable Nike Air Max seller that has to offer great customer services so that you have an all in one user cute website. watches, Great players
  • Anonymous
    July 24, 2014
    Pour un cluster french to english translation for a cluster
  • Anonymous
    December 03, 2014
    nice! give people a french link! (http://msdn.microsoft.com/fr-fr/library/cc280459.aspx ) nice!