SQL running under 'Local System', but SPN not registering

  • 568 Views
  • Last Post 23 January 2019
Mahdi posted this 23 January 2019

Hello friends

This one is quite strange. Have you ever experienced this problem of 'not self registration' of SPNs when the service is running under 'Local System'? As we all know, we will need to do a manual registration of SPNs in certain cases but not when the service is running under 'Local System'.

The error is so 'General' and no more information is logged:

"The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/SQL1.Contoso.net:14330 ] for the SQL Server service. Windows return code: 0x200b, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered."

I verify that the PC has enough permission to write on SPN attribute, but I have no other idea what could be the problem.

Any tips? 

Order By: Standard | Newest | Votes
dloder posted this 23 January 2019

0x200b is ERRORDSINVALIDATTRIBUTESYNTAX
So network trace it and see exactly what SPN is trying to be registered.  Maybe a problem somehow with leading or trailing characters that are invalid.
-- dloder.blogspot.com --



show

barkills posted this 23 January 2019

I’ve seen SQL SPN registrations fail for a variety of reasons that include:

-dnsHostname value doesn’t match FQDN attempting to be registered for SQL

-SPN attempting to be registered is already registered on another AD object

-There are other MSSQLSvc SPNs already registered for that object, presumably manually added

-Netbiosname of computer has changed but the necessary reboot hasn’t happened

-DNS suffix of computer has changed but the necessary reboot hasn’t happened

-Windows 7 bug when joining AD related to “disjoint namespace”

-Disjoint namespace + SQL cluster rolling upgrade (poorly written Microsoft code which assumes that the AD domain for the cluster is the disjoint namespace)

 

I’m probably missing a few I’ve seen over the years.



 

In my experience the SQL automatic SPN registration is not as well-written as the OS SPN registration. And I’ve seen the SQL registration manage to break the

OS SPN registration quite a few times. It’s been awhile since I’ve seen that, so maybe the SQL product team got that issue fixed.

 

Brian

 

show

Close