Announcement

Collapse
No announcement yet.

creating SPN's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • creating SPN's

    Hi,

    i have a user who has created 2 service accounts. They have asked that a SPN be created.

    Am i correct in thinking that in some way you link the service account to the SPN.
    They want to use the accounts for kerbros authentication, the accounts are to be used in App Pools in IIS6. from what i understand the application communicates using http using port 1000 to sql.

    can these be created on any server that has setspn available? what would be the correct syntax. i can find loads of information regarding how to create hosts spn's but not service account SPN's

    any help much appreciated.

    thanks
    Last edited by phill; 3rd February 2009, 16:35.

  • #2
    Re: creating SPN's

    setspn -A http/servername:1000 domain\accountsamid
    setspn -A http/servername.domain.com:1000 domain\accountsamid

    you can do this from any client that has spn installed and domain admin credentials.

    no difference between computer or user accounts

    Comment


    • #3
      Re: creating SPN's

      hi thanks for that

      after i created the SPN & listed the spn's a third spn appears regarding SQL!
      setspn -L serviceaccountname i receive the following:
      HTTP/servername.fqdn
      HTTP/servername.hostname
      MSSQLSvc/servername.fqdn:1433 (where does this come from?)

      if i do an setspn -L on the test sql server i get
      MSSQLSvc/servername.fqdn:1932

      The website still fails when connecting to SQL, i assume that i need to change the port number for the spn associated with account name? Is the best way to delete & recreate or can you amend the SPN? Should i even amend this as i have no idea where it came from.

      thanks

      phill

      Comment


      • #4
        Re: creating SPN's

        If you have SQL installed and running under the local system or network service built in account it will register that spn on the computer account. If its running under a custom service account then it will register the spn on that account.

        Does the service account the website is running on have permissions on the SQL server?

        Comment


        • #5
          Re: creating SPN's

          Hi,

          thanks, forgot to mention the sql. It is running as local system & if i do the setsp -L for the server I get

          MSSQLSvc/servername.fqdn:1932
          HOST/servername.fqdn
          HOST/servername.hostname
          So this is registered by SQL as it is running under local system?

          spn query dor service account is
          HTTP/servername.fqdn
          HTTP/servername.hostname
          MSSQLSvc/servername.fqdn:1433

          we have npw removed the sql spn associated with the service account as it did not resovle the issue. the sql server still has the spn registerd. when we try to access the website we get the error:
          domain\username

          Thanks
          login failed for user NT AUTHORITY\ANONYMOUS LOGON



          Thanks very much for your help.

          phill
          Last edited by phill; 5th February 2009, 14:38.

          Comment

          Working...
          X