Friday, January 27, 2012

SCCM server with SQL db installed was unable to register service principal name (spn)

In my case SCCM server with SQL server 2005 service running under local system (not recommended from SQL Server best practice) was unable to register it's spn in AD. Also, there is event for this behaviour in application log ID 26037 and source MSSQLSERVER :

The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

The reason for this behavior is that someone (or somehow) has removed permission from the computer account where SCCM and SQL were installed to register spn :



From the properties of the computer account you can see that permissions for Validated write to service principal name is missing. After allowing (setting) the permission for Validated write to service principal name, spn for the SQL server was successfully registered in AD.

No comments:

Post a Comment