Kerberos, SPN for SQL Server: Which service account?
Hi,
We have SSRS running as domain account "mydomain\ssrs_svc" and SQL2008 running as domain account "mydomain\sql_svc". SQL2008 is running as the default instance on "sqlbox"
To set up SPNs for Kerberos, what should be command for the SPN for SQL2008?
Is it
setspn -a MSSQLSvc/sqlbox:1433 mydomain\ssrs_svc
or
setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc
Te link below says that the first option above is correct. It says "it does not matter which account SQL Server is running under"
http://callumhibbert.blogspot.com/2009/02/kerberos-delegation-and-sql-reporting.html
On the other hand, MS documentation is sort of vague about this and implies that second option above is correct.
http://download.microsoft.com/download/B/E/1/BE1AABB3-6ED8-4C3C-AF91-448AB733B1AF/SSRSKerberos.docx
None of the options work for me at the moment
setspn -a MSSQLSvc/sqlbox:1433 mydomain\ssrs_svc
produces
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
sql_svc.....This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered
on, the account used by the server. "
setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc
produces
"KDC_ERR_BADOPTION"
November 22nd, 2010 2:43am
Hi James,
In order to configure Kerberos authentication for SQL Server Reporting Services(SSRS), we need to register SPN for both the SQL Server Reporting Services(SSRS) and the SQL Server. We need to register the following two SPN at least in this case:
setspn -a HTTP/<SSRSbox>:<port for the SSRS> mydomain\ssrs_svc setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc
Additionally, please add the following two SPN with FQDN too:
setspn -a HTTP/<SSRSbox>.<domain>.<com>:<port for the SSRS> mydomain\ssrs_svc
setspn -a MSSQLSvc/sqlbox<domain>.<com>:1433 mydomain\sql_svc
So, there are two steps to do:
Register SPN for SSRS:
http://msdn.microsoft.com/en-us/library/cc281382.aspx Register SPN for SQL Server:
http://msdn.microsoft.com/en-us/library/ms191153.aspx
If you have any more questions, please feel free to ask.
Thanks,
Jin Chen
Jin Chen - MSFT
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2010 3:28am
Hi James,
In order to configure Kerberos authentication for SQL Server Reporting Services(SSRS), we need to register SPN for both the SQL Server Reporting Services(SSRS) and the SQL Server. We need to register the following two SPN at least in this case:
setspn -a HTTP/<SSRSbox>:<port for the SSRS> mydomain\ssrs_svc setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc
Additionally, please add the following two SPN with FQDN too:
setspn -a HTTP/<SSRSbox>.<domain>.<com>:<port for the SSRS> mydomain\ssrs_svc
setspn -a MSSQLSvc/sqlbox<domain>.<com>:1433 mydomain\sql_svc
So, there are two steps to do:
Register SPN for SSRS:
http://msdn.microsoft.com/en-us/library/cc281382.aspx Register SPN for SQL Server:
http://msdn.microsoft.com/en-us/library/ms191153.aspx
If you have any more questions, please feel free to ask.
Thanks,
Jin Chen
Jin Chen - MSFT
November 23rd, 2010 11:27am
I have done as you mentioned both for SQL server service account and SSRS servies (SPN and Deligation on AD). It is kept on asking me the user name and password. I digged the Server logs
KDC_ERR_PREAUTH_REQUIRED. Can you please help where all we need to look at it
Anekm
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 13:27:1.0000 5/16/2011 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm:
Server Name:
SqlServerbox.win.org
Target Name:
Error Text:
File: 9
Line: d86
Error Data is in record data.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2011 9:14am