0

I am trying to configure Kerberos for my SQL Server (the database engine domain account). I have executed the following command:

SETSPN -A MSSQLSvc/MyDBServer:1433 MyDomain\SQLServerService

Replacing MyDBServer with the FQDN of the server and replacing MyDomain\SQLServerService with the name of my account.

I then ran the query:

SELECT s.session_id , c.connect_time , s.login_time , s.login_name , c.protocol_type , c.auth_scheme , s.HOST_NAME , s.program_name FROM sys.dm_exec_sessions s JOIN sys.dm_exec_connections c ON s.session_id = c.session_id

This returns NTLM. So it's not Kerberos. What am I mising? The delegation tab is available for the account, so the spn bit worked perfectly fine. Is it not required to set some settings in the delegation tab? I've seen this in the case of setting kerberos for Sharepoint 2010 (which I intend to setup).

Thanks

GurdeepS
  • 1,626
  • 5
  • 26
  • 33

2 Answers2

2

I have found I need to register SPNs for different syntax for describing sql server. For some reason sql uses different syntaxes along the way to authenticating. Register each of these formats.

MSSQLSvc/SqlServerName.perrigo.com:instancename
MSSQLSvc/SqlServerName:instancename
MSSQLSvc/SqlServerName.domainname.com:1433
MSSQLSvc/SqlServerName:1433
MSSQLSvc/SqlServerName.domainname.com
MSSQLSvc/SqlServerName
Hill5Air
  • 121
  • 3
1

Did you test with a connection on localhost?

There seems to be a fallback (probably for performance reasons as you do not need Kerberos on the local machine) to NTLM in some localhost cases, even if you have an SPN.

Have a look at: http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

schlenk
  • 183
  • 5
  • I tested by logging into the server and going to sql server, so I guess that is "a connection on localhost"? I saw a demo and the lecturer went on the local server anyway. Something surely is a miss? – GurdeepS Nov 18 '11 at 15:15