Поделиться через

Released: Microsoft Kerberos Configuration Manager for SQL Server v3.1

  • Статья

We are pleased to announce the latest generally-available (GA) of Microsoft Kerberos Configuration Manager for SQL Server.

Get it here: Download Microsoft Kerberos Configuration Manager for SQL Server

Kerberos authentication provides a highly secure method to authenticate client and server entities (security principals) on a network. To use Kerberos authentication with SQL Server, a Service Principal Name (SPN) must be registered with Active Directory, which plays the role of the Key Distribution Center in a Windows domain. In addition, many customers also enable delegation for multi-tier applications using SQL Server. In such a setup, it may be difficult to troubleshoot the connectivity problems with SQL Server when Kerberos authentication fails.

The Kerberos Configuration Manager for SQL Server is a diagnostic tool that helps troubleshoot Kerberos related connectivity issues with SQL Server, SQL Server Reporting Services, and SQL Server Analysis Services. It can perform the following functions:

  • Gather information on OS and Microsoft SQL Server instances installed on a server.
  • Report on all SPN and delegation configurations on the server.
  • Identify potential problems in SPNs and delegations.
  • Fix potential SPN problems.

This release (v 3.1) adds support for SQL Server 2016.

Also, for reference, the Kerberos Configuration Manager for SQL Server creates a log file in %AppData%\Microsoft\KerberosConfigMgr.

Note: Microsoft Kerberos Configuration Manager for SQL Server requires a user with permission to connect to the WMI service on any machine its connecting to. For more information, refer to Securing a Remote WMI Connection.

Comments

  • Anonymous
    February 01, 2017
    Just installed it in a local machine with SQL Server 2014 and got "Unable to access User Principal information from the System" error.What that means and how to solve this?Thank you.
    • Anonymous
      February 01, 2017
      Hello Vitor, are you running the tool in the machine itself, in a different machine in the same domain, or cross-domains?Can you also check the local Administrators group on that server (where you are running the tool), and check if there are orphaned entries (GUID instead of a resolved name). Users report that deleting those entries and restarting the Kerberos Configuration Manager tool solves the problem in this scenario.
      • Anonymous
        February 02, 2017
        The comment has been removed
        • Anonymous
          February 02, 2017
          We will be investigating this. Are you running the tool to connect remotely to those instances? And if so, are both your client and the target servers in the same domain?And can you please provide the log file in %appdata%\Microsoft\KerberosConfigMgr? Thank you!
          • Anonymous
            February 03, 2017
            There's always a log :)I'm running the tool locally in each of my 3 servers so I'm leaving the fields empty when trying to connect.Here's the log content:2/3/2017 4:36:22 AM Info: Connect to WMI, \root\cimv22/3/2017 4:36:34 AM Error: Access of system information failed System.Runtime.InteropServices.COMException (0x80070035): The network path was not found. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o) at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign() at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext() at System.DirectoryServices.AccountManagement.FindResultEnumerator1.MoveNext() at System.Linq.Enumerable.Contains[TSource](IEnumerable1 source, TSource value, IEqualityComparer`1 comparer) at KerberosCM.WMIHelper.TryIsUserLocalAdmin(SystemInfo si, UserPrincipal user, Boolean& isLocalAdmin)
            • Anonymous
              February 03, 2017
              Thank you Vitor, we will look at this ASAP.
  • Anonymous
    February 01, 2017
    This tool do not show SPN for Reporting Services (SQL Server 2016 Ent SP1) Status field - "Unable to access the Reporting Services information. Verify the integrity of Reporting Services.". My SSRS works fine.
    • Anonymous
      February 02, 2017
      Hello, can you please make the log available for investigation? You can find the log in %appdata%\Microsoft\KerberosConfigMgr. Thank you
      • Anonymous
        May 03, 2017
        Hi,I have a similar issues as MaxRem. I'm also seeing “Unable to access the Reporting Services information. Verify the integrity of Reporting Services.” on a SQL 2014 (12.0.5000.0) SSRS Standard instance. Where can I send my log too?
        • Anonymous
          June 05, 2017
          Hello John, we are looking at how to address SSRS issues in a future release.
  • Anonymous
    February 01, 2017
    The comment has been removed
    • Anonymous
      February 01, 2017
      Hello Nicolas, presently it does not account for listeners in AG configurations. Thanks for the feedback and stay tuned.
      • Anonymous
        February 08, 2017
        The comment has been removed
  • Anonymous
    February 01, 2017
    When I try to connect to a remote machine in the same domain with the tool I get the "Unable to access User Principal information from the System" error message. Any ideas?
    • Anonymous
      February 01, 2017
      Hello Khoi, are you running the tool in the machine itself, in a different machine in the same domain, or cross-domains?Can you also check the local Administrators group on that server (where you are running the tool), make sure that you are in it (or run the tool in an elevated credentials, and look if there are orphaned entries (GUID instead of a resolved name). Users report that deleting those entries and restarting the Kerberos Configuration Manager tool solves the problem in this scenario.
  • Anonymous
    February 03, 2017
    Is there a way to configure the SPNs? The tool generates two SPNs in the form of:MSSQLSvc\fqnMSSQLSvc\fqn:portWhere all of our SPNs have been generated in the form of:MSSQLSvc\servername:portMSSQLSvc\fqn:portThe latter is the way we have always created our SPNs, and they are proven to work. Updating the configuration of the tool would allow us to use it without erroneous "Missing" reports, and generating cmd scripts that are unusable.
    • Anonymous
      February 03, 2017
      Hello Karl, there is no config or bypass for non-FQDN based SPNs. The tool generates (and checks) for SPNs as documented in https://msdn.microsoft.com/en-us/library/ms191153.aspx. This is also the SPN that is registered if you allow the service to self manage SPNs.Thank you for your feedback. We will evaluate for a future release.
  • Anonymous
    February 08, 2017
    Hello,Is there a way to import a list of servers from XML or text file? Checking each of our servers one at a time can be quite laborious. I was hoping the export/import XML would allow this option, but exporting also captures the results and server configuration details.
    • Anonymous
      February 08, 2017
      Hello, there is not. Thanks for the suggestion!
      • Anonymous
        February 09, 2017
        Alright, thanks for the confirmation. It would be great if this makes its way into a future release.