According to some of the documentation I've read the service account for SQL server will create an SPN when the database engine starts up, allowing for kerberos authentication. I haven't been able to find any documentation that states what permission an account would need to create an SPN. So, what permissions would an account need to have (barring domain admin if that's possible) in order to create an SPN?
2 Answers
Based on this MSDN article, and clarification by @Handyman5, the section "Delegating Authority to Modify SPNs" states
If you need to allow delegated administrators to configure service principal names (SPNs), you must ensure that their user accounts have the Validated write to service principle name permission.
The permission to delegate Validated write to service principle name requires Membership in Domain Admins, or equivalent
- 1,955
- 1
- 16
- 26
- 276
- 2
- 16
-
3Not necessarily; the link you gave mentions that all you need is to have the "Validated write to service principle name" permission delegated to your account or group. OP could create a group for "Keytab Admins" and delegate this permission only to it without needing to make everybody Domain Admins. – Handyman5 Nov 18 '11 at 07:01
-
Ah, so the line "Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure" means domain admin power is required to delegate that power but the only required privilege is the ability write to spn you've indicated? – billinkc Nov 18 '11 at 12:55
-
Yes, that's correct. – Handyman5 Nov 18 '11 at 19:00
-
Here's a nice blog post which describes how to create an AD group which has the permissions: https://danieladeniji.wordpress.com/2010/08/20/granting-microsoft-active-directory-users-groups-ability-to-set-service-principal-names-spn/ – Mark Iannucci Aug 12 '15 at 13:59
So I recently figured out how to do this. Follow the steps in the MSDN article about delegating the permission to Write SPNS.
However, you need to add one more permission for the account other than the Validated Write to Service Principal Names permission that is mentioned in MSDN article and that is write service principal name.
You need to add this permission in the exact same fashion as the how the article instructs you on the Validated Write to Service Principal Names (applies to computer objects, etc).
By adding this permission it allows you to write to the SPN attribute without needing full control, domain admin, or write all properties.
As a side note if you only add the Validated Write to Service Principal Names permission you will get the following error while trying to create a SPN and not access denied.
Failed to assign SPN on account LDAPName error 0x200b/8203 -> The attribute syntax specified to the directory service is invalid.
- 131
- 3