Using Kerberos Configuration Manager to configure SPNs for SQL Server

SQL Server Logo

Microsoft SQL Server requires Service Principal Name (SPN) records to be set up for authentication because of the way it interacts with Windows Authentication using Kerberos protocol. When a user attempts to connect to the SQL Server instance, the client’s operating system requests a Kerberos ticket from the server, which is then verified by checking if an SPN record has been registered for the service instance. If no valid SPN record exists or is incorrect, the Kerberos protocol fails and authentication fails, resulting in an error. This mechanism ensures that the server can verify the client’s identity and authenticate the connection securely, making SPN records a crucial component of Windows Authentication in SQL Server.

Configuring the SPN records

  1. Log in to the server’s console with your RT account.
  2. Download the tool: Microsoft Kerberos Configuration Manager for SQL Server
  3. Install the tool using the default options.
  4. Open the File Explorer and navigate to C:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server. Right-Click on KerberosConfigMgr and select Run as administrator.
    Image
  5. Click on Connect. 
    Image
  6. Type localhost in the Server name field and click on Connect.
    Image
  7. Review the SPN records to determine if they are correct. If none exist click the Generate All button. If some exist click the Fix All button. For most new server builds, clicking Fix All is the correct option.
    Image
  8. After clicking Fix All you will be presented with the list of changes. Click Yes and allow the process to finish.
    Image
  9. The process may take 15+ minutes to syncronize across the domain.
  10. Reboot the SQL server.
  11. Test the connectivity.

Leave a Reply