Kerberos Double Hop - SQL2014 HA - MSA's

Question

OK, so i'm at my wits end.

We have a system which works perfectly in our UAT environment (not HA) but will not work in live.

so the config is:

dns A record to iis box
binding in iis on :80 to dnsname
HTTP/dnsname SPN

HA SQL 2014 cluster

dynamic ports off
standard port 1433 specified in TCP/IP config
named pipes enabled

All the service accounts running SQL across the cluster are now the same (MSA's) i thought that might have been the problem, Alas no!

I now have - probably too many SPN's registered against the thing:

setspn -l chdom\msaBOXSQL01SVC$
Registered ServicePrincipalNames for CN=msaBOXSQL01SVC,CN=Managed Service Accounts,DC=chdom,DC=mydomain,DC=local:
        MSSQLSvc/BOXSQL-APPDB01
        MSSQLSvc/BOXSQL-APPDB01:1433
        MSSQLSvc/BOXSQL01:1433
        MSSQLSvc/BOXSQL02:1433
        MSSQLSvc/BOXSQL03:1433
        MSSQLSvc/BOXSQL03
        MSSQLSvc/BOXSQL02
        MSSQLSvc/BOXSQL01
        MSSQLSvc/BOXSQL-APPDB01.chdom.mydomain.local:1433
        MSSQLSvc/BOXSQL03.chdom.mydomain.local:1433
        MSSQLSvc/BOXSQL02.chdom.mydomain.local:1433
        MSSQLSvc/BOXSQL01.chdom.mydomain.local:1433
        MSSQLSvc/BOXSQL-APPDB01.chdom.mydomain.local

Can anyone see what i've done wrong here, i think i have google blindness at this stage

also the HTTP/dnsname spn is registered against the iis box rather than a user and the iis box is enabled for kerberos delegation in active directory — Dan, Jun 10 '16 at 19:05
also ran setspn -X to check for duplicate spn - came back negative — Dan, Jun 10 '16 at 19:24

Kerberos Double Hop - SQL2014 HA - MSA's

0 Answers0