The SQL Network Interface library was unable to register SPN
The SQL Network Interface library was unable to register SPN.
Problem
In the SQL Server error log you got the following message:
The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.
To understand the error you can transcribe the error message 0x2098 in a more readable.
- - You can use the tools: Error Code lookup
https://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en
Puis exécuter la commande err.exe 2098 :
# for hex 0x2098 / decimal 8344 :
ERROR_DS_INSUFF_ACCESS_RIGHTS winerror.h
# Insufficient access rights to perform the operation.
# 1 matches found for "2098" - - Or go directly to the error codes at:
https://msdn.microsoft.com/en-us/library/ms681390(VS.85).aspx
ERROR_DS_INSUFF_ACCESS_RIGHTS 8344 (0x2098) |
Insufficient access rights to perform the operation. |
This error message indicates that the service account SQL server does not have sufficient rights to register the SPN.
Cause
SPNs are used by the Kerberos authentication protocol. If the account of the proceeding is known, the Kerberos authentication can be used to provide mutual authentication by the client and server. If the account of the proceedings is not known, NTLM authentication, which provides only authentication of the client by the server is used.
If you run SQL Server under the LocalSystem account, the SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. So Kerberos interacts successfully with the server running SQL Server.
However, if you run SQL Server under a domain account or a local account, the attempt to create the SPN may fail. When creating the service principal name fails, this means that no SPN is set for the service that is running SQL Server.
Solution
Therefore, you must implement a solution to that the SPN is created for your SQL Server instance where you want to use the Kerberos protocol.
Method 1 : The method recommended by Microsoft Support. You can give in Active Directory rights below to the service account of SQL Server:
- Read servicePrincipalName
- Write servicePrincipalName
Method 2 : You can also give him the rights manually using the tool SetSPN.(https://msdn.microsoft.com/fr-fr/library/cc280459.aspx )
For SQL server Standalone
SetSPN -A MSSQLSvc/<ComputerName>.<DomainName>:<port> <AccountName>
So for a multi-server instance you must configure the SPN for each instance, for each instance of SQL Server usefulness port TCP / IP only. For the port of the proceeding open SQL Server Configuration Manager>> Right click the instance>> TCP / IP protocol (default port)
Pour un cluster
SetSPN -A MSSQLSvc/<virtualName>.<DomainName>:<port> <AccountName>
SetSPN -A MSSQLSvc/<virtualName>.<DomainName> <AccountName>
For an instance of SQL Server cluster, you must use the FQDN of the virtual SQL server. You must also configure the SPN with a port and a second SPN without the port.
Verification
Then you can confirm that the operation went smoothly with the following command:
SetSPN -L <AccountName>
SQL server side to check, you can use the DMV sys.dm_exec_connections with the column auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
If kerberos is used, you should see "KERBEROS".
Documentation
The SQL Network Interface library was unable to register SPN.
Problème
Dans les Error Logs SQL serveur vous obtenez le message d'erreur suivant :
**
La bibliothèque SQL Network Interface Impossible d'inscrire le nom principal service (SPN) pour le service SQL Server. Erreur : 0x2098. Échec d'inscrire un nom principal de service peut entraîner intégrée l'authentification revenir à NTLM au lieu de Kerberos. Ceci est un message d'information. Action supplémentaire n'est obligatoire si Kerberos authentification est requise par les stratégies d'authentification.
Pour comprendre l'erreur vous devez transcrire le message d'erreur 0x2098. Vous pouvez :
- - Soit utiliser l'outil ci-dessous: Error Code lookup
https://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en
Puis exécuter la commande err.exe 2098 :
# for hex 0x2098 / decimal 8344 :
ERROR_DS_INSUFF_ACCESS_RIGHTS winerror.h
# Insufficient access rights to perform the operation.
# 1 matches found for "2098" - - Soit consulter directement les codes d'erreurs à l'adresse suivante:
https://msdn.microsoft.com/en-us/library/ms681390(VS.85).aspx
ERROR_DS_INSUFF_ACCESS_RIGHTS 8344 (0x2098) |
Insufficient access rights to perform the operation. |
Ce message d'erreur indique que le compte de service SQL server n'a pas les droits suffisants pour enregistrer les SPN.
Cause
Les SPN sont utilisés par le protocole d'authentification Kerberos. Si le compte de l'instance est connu, l'authentification Kerberos peut être utilisée pour fournir une authentification mutuelle par le client et le serveur. Si le compte de l'instance n'est pas connu, l'authentification NTLM, qui fournit uniquement une authentification du client par le serveur, est utilisée.
Si vous exécutez le service SQL Server sous le compte LocalSystem, le nom principal de service est généralement enregistré car SQL s'enregistre avec le compte machine qui dispose du droit de créer un SPN par défaut. Kerberos interagit correctement avec le serveur qui exécute SQL Server.
Cependant, si vous exécutez le service SQL Server sous un compte de domaine ou un compte local au que le compte localsystem, la tentative de création du nom principal de service peut échouer. Lorsque la création du nom principal de service échoue, cela signifie qu'aucun nom principal de service n'est configuré pour le service qui exécute SQL Server.
Résolution
Par conséquent, vous devez mettre en œuvre une solution pour que le SPN soit créé pour votre instance SQL Server lorsque vous souhaitez utiliser le protocole Kerberos.
Méthode 1 : La méthode recommandée par le Support Microsoft. Vous pouvez donner dans Active Directory les droits ci-dessous au compte de service SQL Server :
- Read servicePrincipalName
- Write servicePrincipalName
Méthode 2 : Vous pouvez aussi créer le SPN manuellement avec l'outil SetSPN.(https://msdn.microsoft.com/fr-fr/library/cc280459.aspx )
Pour un SQL server Standalone
SetSPN -A MSSQLSvc/<ComputerName>.<DomainName>:<port> <AccountName>
Pour un serveur multi instance vous devez configurer le Server Principal Name (SPN) pour chaque instance, car chaque instance de SQL Server utilise un port TCP unique. Pour obtenir le port de l'instance ouvrez SQL Server Configuration Manager >> Clic droit sur l'instance >> TCP/IP protocole (default port)
Pour une instance virtuelle (cluster en cluster)
SetSPN -A MSSQLSvc/<virtualName>.<DomainName>:<port> <AccountName>
SetSPN -A MSSQLSvc/<virtualName>.<DomainName> <AccountName>
Pour une instance SQL server en cluster, vous devez utiliser le FQDN du server SQL virtuel. Vous devez configurer le Service Principal Name (SPN) premièrement en spécifiant un port puis un second SPN sans port.
Vérification
Ensuite vous pouvez confirmer que l'opération s'est bien déroulé avec la commande suivante :
SetSPN -L <AccountName>
Coté SQL server, vous pouvez utiliser la DMV sys.dm_exec_connections avec la colonne auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Si kerberos est utilisé, vous devriez voir "KERBEROS".
Documentation
The SQL Network Interface library was unable to register SPN.
Problema
En las contrapartes de error de SQL Server recibe el mensaje de error siguiente:
La biblioteca SQL Network Interface no se pudo registrar el nombre principal de servicio (SPN) para el servicio de SQL Server. Error: 0x2098. Un error al registrar un SPN puede producir la autenticación integrada se retrocede a NTLM en lugar de Kerberos. Se trata de un mensaje informativo. Acción más sólo es necesario si se requiere autenticación por directivas de autenticación de Kerberos.
Para entender el error que transcribir el mensaje de error 0x2098 de una forma más legible. Usted puede:
- - O bien utilizar las herramientas a continuación: Error Code lookup
https://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en
Puis exécuter la commande err.exe 2098 :
# for hex 0x2098 / decimal 8344 :
ERROR_DS_INSUFF_ACCESS_RIGHTS winerror.h
# Insufficient access rights to perform the operation.
# 1 matches found for "2098" - - O marcando directamente los códigos de error en la dirección siguiente:
https://msdn.microsoft.com/es-es/library/ms681390(en-us,VS.85).aspx
ERROR_DS_INSUFF_ACCESS_RIGHTS 8344 (0x2098) |
Insufficient access rights to perform the operation. |
Este mensaje de error indica que el servidor de cuenta de servicio de SQL no tiene suficientes derechos para registrar el SPN.
Causa
SPN son utilizados por el protocolo de autenticación Kerberos. Si se sabe que la cuenta del procedimiento, la autenticación Kerberos puede ser utilizado para proporcionar autenticación mutua entre el cliente y el servidor. Si la cuenta de las actuaciones no se conoce, la autenticación NTLM, que proporciona sólo la autenticación del cliente por el servidor, se utiliza.
Si ejecuta SQL Server en la cuenta LocalSystem, el SPN se registra automáticamente como SQL registrarse en la cuenta de equipo que tiene el derecho a crear un defecto de SPN. Así Kerberos interactúa correctamente con el servidor que ejecuta SQL Server.
Sin embargo, si ejecuta SQL Server bajo una cuenta de dominio o una cuenta local, el intento de crear el SPN puede fallar. Al crear el nombre principal de servicio falla, esto significa que no SPN se establece para el servicio que se ejecuta SQL Server.
Resolución
Por lo tanto, debe implementar una solución para que el SPN se crea para la instancia de SQL Server donde desea utilizar el protocolo Kerberos.
Método 1 : El método recomendado por el Soporte Microsoft. Usted puede dar en el Directorio Activo de derechos por debajo de la cuenta de servicio de SQL Server :
- Read servicePrincipalName
- Write servicePrincipalName
Método 2 : También puede darle los derechos de forma manual utilizando la herramienta de
SetSPN.(https://msdn.microsoft.com/fr-fr/library/cc280459.aspx )
Para un SQL server Standalone
SetSPN -A MSSQLSvc/<ComputerName>.<DomainName>:<port> <AccountName>
Así que para una instancia de servidor de múltiples debe configurar el SPN para cada instancia, para cada instancia de SQL Server utilidad uno port TCP / IP. Para obtener el puerto del instancia abierto SQL Server Configuration Manager>> Haga clic en la instancia>> protocolo TCP / IP (puerto por defecto)
Para un clúster
SetSPN -A MSSQLSvc/<virtualName>.<DomainName>:<port> <AccountName>
SetSPN -A MSSQLSvc/<virtualName>.<DomainName> <AccountName>
De una instancia de clúster de SQL Server, debe utilizar el nombre completo del servidor virtual SQL. También debe configurar el SPN con un puerto y un SPN segundo sin el puerto.
Verificación
Entonces usted puede confirmar que la operación se desarrolló sin problemas con el siguiente comando:
SetSPN -L <AccountName>
Del lado del servidor SQL para la verificación, puede utilizar el DMV sys.dm_exec_connections con la columna auth_scheme :
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
Si se utiliza Kerberos, debería ver "KERBEROS".
Documentación
How to: Enable Kerberos Authentication on a SQL Server Failover Cluster
https://msdn.microsoft.com/en-us/library/ms189585(SQL.90).aspx
Registering a Service Principal Name
https://msdn.microsoft.com/en-us/library/ms191153.aspx
How to configure SQL Server 2005 Analysis Services to use Kerberos authentication
https://support.microsoft.com/kb/917409
How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005
https://support.microsoft.com/kb/909801
You cannot start the SQL Server Agent service of a failover cluster of SQL Server 2005 if the build of SQL Server is 3179 or a later build
https://support.microsoft.com/kb/943525
Registering Kerberos Service Principal Names
https://msdn2.microsoft.com/en-us/library/ms178119.aspx
How to Configure the Service Principal Name
https://msdn.microsoft.com/en-us/library/ms942980.aspx
How to troubleshoot the "Cannot generate SSPI context" error message
https://support.microsoft.com/kb/811889
Enable Kerberos authentication for virtual servers
https://technet.microsoft.com/en-us/library/cc780918.aspx
How to: Enable Kerberos Authentication on a SQL Server Failover Cluster
https://msdn.microsoft.com/en-us/library/ms189585(SQL.90).aspx
Best practices for configuring and operating server clusters
https://technet.microsoft.com/en-us/library/cc785714.aspx
How to use Kerberos authentication in SQL Server
https://support.microsoft.com/kb/319723/en-us
Michel Degremont | Microsoft EMEA
Product Support Services Developer - SQL Server Core Engineer |
Comments
- Anonymous
January 01, 2003
The comment has been removed - Anonymous
December 06, 2011
how to give the rights, is it in Active Directory or SQL server or Windows Server? You can give in Active Directory rights below to the service account of SQL Server:
- Read servicePrincipalName
- Write servicePrincipalName
- Anonymous
April 08, 2014
Giving going to be the Gift relating to going to be the Pen Drive
A corpora nike free run te birthday present could be the a welcome littl nike free run e bonus as well as between workers,nike free run,this is why and state of mind this is exactly - Anonymous
April 24, 2014
for no reason someone else's. and and consequently it's necessary fo Chaussures nike air max 90 r additional details on consid Chaussures Nike Free Run 3 er getting tennis shoes that leave breathing room as well as your you for those times when they can - Anonymous
April 25, 2014
then there are the sneakers and going to be the mountaineering a pair Nike Free run and Nike air max of boots made specially too going to be the use e nike free run verywhere in the sports,right now at least canvas with safety in mind to do with clothes - Anonymous
April 25, 2014
The comment has been removed - Anonymous
April 25, 2014
to have and there quality Nike Free Run .
: then all your family members have can come to educate yourself regarding Nike Free run and Nike air max going to be the entirely site. Fabric jogging shoes will want to receive approached much in the way a - Anonymous
April 25, 2014
a lot of unique shapes and sizes available Chaussures Nike Free Run 3 plus in Papillio Women Shoes a Chaussures nike air max 90 t this available on the internet store. Furthermore, A chunk of property having to do with it is certainly plausible are searching - Anonymous
April 25, 2014
between support and movement Cheap Nike Running You definitely have to worry about rarely want a mult Nike Free | Nike Air Max i function sporting goods that not only can they weigh you down.Basketball soccer drills for kids are an absolute must have - Anonymous
April 26, 2014
The comment has been removed - Anonymous
April 26, 2014
as described beyond People always Chaussures nike air max 90 Air max 90 homme comment about easiest way skirt border in order to completely and down, A lot relating to we all have made a decision to learn more about play this sp Air max 90 femme ort never - Anonymous
April 27, 2014
or at least Air Nike Free Run 3 Max Series.
you'll also find c Air max 90 femme ost your family much more thant $150 at local stores,Nike Free Run 3,going to be the a fast boat at the Air max 90 homme se all all your family members are training, Every - Anonymous
April 27, 2014
you not only can they some make an appointment with a great deal Air max 90 homme more of going to be the innovations all Chaussures nike air max 90 over the construct and material selection was able to find among Guess watches. Most it is certainly plausible - Anonymous
April 29, 2014
It very even more difficult for additional details on visit their available on t cheap nike running leggings h nike free run 3 review e web store if you don't have finding an all in one number items that your family want to get straight away! and Il bet - Anonymous
May 02, 2014
If going to be the footwear usually are you put them on at Nike Free run and Nike air max going to be the office all day,Nike Free run and Nike air max,exceed cheap nike running trainers ing The stores have already been adorned so that you have banners - Anonymous
May 02, 2014
Bo Nike Free Run 3 th games may be played Sunday, Approximate tipoff time is that often 6pm fo Chaussures Nike Free Run 3 r going to be the before anything else game to have the second game to learn more about follow. The idea is always that for more - Anonymous
May 03, 2014
Pirelli,Nike Free Run 3, Elvstrom.
and to Asian f Nike Free Run 3 ashion is the fact that increasingly p Air max 90 homme opular throughout the going to be the global market. These fashions instantly make a wearer part having to do with an identifiable - Anonymous
May 03, 2014
but take heart is the reaso Air max 90 homme n that really a bit 'more relaxed at going to be the same time leaving many Chaussures nike air max 90 comfort preferences and budget. In addition, Of course For an example i am going to have you any idea my - Anonymous
May 03, 2014
Nike Free | Nike Air Max baseball and soccer everywhere over the 24 hours a mult Nike Air Max i functional day! Baseball would be the fact a minumum of one of going to be the go above and beyond sports considering they are played as part of your United - Anonymous
May 03, 2014
The comment has been removed - Anonymous
May 04, 2014
but take heart also look a lot better These nike free run athletic shoes can be the case ordered avai Nike Free | Nike Air Max lable on the web a number of us at no time get marketing campaign able for additional details on get away back and forth from - Anonymous
May 04, 2014
The comment has been removed - Anonymous
May 04, 2014
There 're so many v Cheap Nike Running arieties avai cheap nike running clothes lable in your athletic shoes as well as for a man and lots of women as part of your market These available on the web stores bring they all are popular brands.all your family - Anonymous
May 04, 2014
shapes, females.
-- When element comes to you for more information regard Chaussures Nike Free Run 3 ing handbags,Chaussures Nike Free Run 3,but take heart because it rea Chaussures nike air max 90 ches one historical earning you money all over the - Anonymous
May 04, 2014
your family will consider getting something that really suits your requirem Chaussures nike air max 90 ents best.all your family members can have a multi function little a good time Chaussures Nike Free Run 3 doing going to be the project,Chaussures nike - Anonymous
May 04, 2014
and that all Nike Free | Nike Air Max your family members are receiving your purchase back and forth from a reputable Nike Air Max seller that has to offer great customer services so that you have an all in one user cute website. watches, Great players - Anonymous
July 24, 2014
Pour un cluster french to english translation for a cluster - Anonymous
December 03, 2014
nice! give people a french link! (http://msdn.microsoft.com/fr-fr/library/cc280459.aspx ) nice!