1

Background

We are performing a server move. In the process, new servers and service accounts have been created. I'm getting two issues which I think are related to SPN's:

  1. I've created some SQL Linked servers (using 'current security context', i.e. windows authentication) and I'm getting error Login Failed for user NT AUTHORITY\ANONYMOUS LOGIN, but only when I use it from a client (not when I use it when connected from the server). Double hop anyone?

  2. We have a web app set up and as far as I can tell it doesn't function under Kerberos (just prompts for login then fails), but does function under NTLM

Actual Questions

So I'd like to try and work out exactly what SPN's have been lodged in AD but I have two issues/confusions:

Issue 1:

When I type SetSPN -L MyDomain\MyServiceAccount1 I get

Ldap Error(0x22 -- Invalid DN Syntax): ldap_search_s

How do I get around this? Is there an AD browsing tool I can use to enumerate this? I guess it's because there is an invalid character it can't handle (there's a $ in it but surely that's common?)

Issue 2:

When I check the old server I typed these two things:

SetSPN -L ServerNameZ

I get a list of default SPN's, but no SQL Server ones

i.e.

HOST/ServerNameZ

HOST/ServerNameZ.domain.local

When I type SetSPN -L MyDomain\MyOldServiceAccount

I get the SQL Server SPN:

MSSQLSvc/ServerNameZ.domain.local:63267

MSSQLSvc/ServerNameZ.domain.local:COL1

MSSQLSvc/ServerNameZ.domain.local:59082

MSSQLSvc/ServerNameZ.domain.local:COL2

Why doesn't the SQL Server SPN appear in the first server centric list? Isn't that meant to list all SPN's against the server?

Nick.McDermaid
  • 221
  • 1
  • 2
  • 10
  • Give this tool a run and see what it says. I've had good luck using it to troubleshoot SPN issues on SQL. https://www.microsoft.com/en-us/download/details.aspx?id=39046 Here is a MS blog about the tool. http://blogs.msdn.com/b/analysisservices/archive/2013/05/23/released-kerberos-configuration-manager-for-sql-server.aspx I ran it from the local SQL server with no issues – Mass Nerder Jan 20 '16 at 16:19
  • Thanks for your comment. I'd like to avoid installing things on the server but I'll give it a try if I can't find anything else in a few days. – Nick.McDermaid Jan 20 '16 at 22:44
  • It's not an install. you can extract the file and copy it over to the server. It's a standalone exe. Or you can connect to the server remotely with the tool somewhere else – Mass Nerder Jan 20 '16 at 22:48
  • Thanks - I was a bit nervous about the .MSI but I installed it. I managed to connect to our old servers but our new servers gave me 'Unable to access User Principal Information from the system'. It did highlight something interesting though - some of the SPN's in the old system have been registered with a port that is dynamic. Thanks for your suggestion. – Nick.McDermaid Jan 20 '16 at 23:04

0 Answers0