Apr 2025 Discount: Comprehensive Database Performance Health Check | Testimonials

Home

SCOM – Alert: SQL Server Cannot Authenticate Using Kerberos Because the Service Principal Name (SPN) is Missing, Misplaced, or Duplicated

Pinal Dave
SQL
2 Comments

This blog explains what needs to be done when there are tools which can monitor and report issue about SPNs. Once a client informed that SCOM (System Center Operations Manager) is connected to the databases on SQL Server and raising below warning regarding the SQL Server (Service Principal Name) SPNs:

SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.

Service Account: SQLAUTHORITY\ProdSQLSrv

Missing SPNs: MSSQLSvc/SAPSQLSERVER.SQLAUTHORITY.NET:SAP, MSSQLSvc/ SAPSQLSERVER.SQLAUTHORITY.NET:1433

Here is the screenshot for the alert.

SCOM - Alert: SQL Server Cannot Authenticate Using Kerberos Because the Service Principal Name (SPN) is Missing, Misplaced, or Duplicated scom-spn-01

Whenever I see errors/warning related to SPN, I always try to use Kerberos Configuration Manager tool.

WORKAROUND/SOLUTION

It is important to note that this is an alert not a failure because SPN issue will not cause every connection to fail. It means that any application, which is trying to use Kerberos authentication is going to fail with errors:

  1. Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’
  2. Cannot generate SSPI context

I downloaded the tool and installed in on the server. As soon we are launching the tool, we can just hit connect. The best piece about this tool is that it can help in finding missing SPN and provide script to run or fix it directly if you have permission. Basically, it can

  • Gather information on OS and Microsoft SQL Server instances installed on a server.
  • Report on all SPN and delegation configurations on the server.
  • Identify potential problems in SPNs and delegations.
  • Fix potential SPN problems.

If you are not a fan of a installing tool on the server then you can use SETSPN.exe to set the correct SPNs. Based on above error, here is the command.

setspn -A MSSQLSvc/ SAPSQLSERVER.SQLAUTHORITY.NET:1433 SQLAUTHORITY\ProdSQLSrv

Note that we need to run above line from an elevated command prompt with an account with domain admin permissions. We ran the command and after a minute we got the message all was fine. And as expected, the alerts don’t come back anymore.

Reference: Pinal Dave (https://blog.sqlauthority.com)

SQL Error Messages, SQL Server, SQL Server Security
Previous Post
SQL SERVER – Cluster Patching: The RPC Server is Too Busy to Complete This Operation
Next Post
SQL Server Management Studio (SSMS) – Unable to Connect to SSIS – The Specified Service Does Not Exist as an Installed Service

Related Posts

2 Comments. Leave new

  • Stefka
    June 20, 2018 5:52 pm

    Thank you. I solved my problem using Kerberos Configuration Manager.

    Reply
  • Pete Miller
    January 13, 2023 4:39 am

    Hello Dave, Can you expand on what misplaced means? When I use the Kerberos Configuration Manager it creates them and they are still marked as misplaced. They are using gMSA’s for the service

    Reply

Leave a Reply

Pinal Dave is an SQL Server Performance Tuning Expert and independent consultant with over 22 years of hands-on experience. He holds a Masters of Science degree and numerous database certifications.

Pinal has authored 14 SQL Server database books and 88 Pluralsight courses. To freely share his knowledge and help others build their expertise, Pinal has also written more than 5,800 database tech articles on his blog at https://blog.sqlauthority.com.

Pinal is an experienced and dedicated professional with a deep commitment to flawless customer service. If you need help with any SQL Server Performance Tuning Issues, please feel free to reach out at pinal@sqlauthority.com.

Pinal is also a CrossFit Level 1 Trainer (CF-L1) and CrossFit Level 2 Trainer (CF-L2).

Nupur Dave is a social media enthusiast and an independent consultant. She primarily focuses on the database domain, helping clients build short and long-term multi-channel campaigns to drive leads for their sales pipeline.

Comprehensive Database Performance Health Check

Is your SQL Server running slow and you want to speed it up without sharing server credentials? In my Comprehensive Database Performance Health Check, we can work together remotely and resolve your biggest performance troublemakers in less than 4 hours.

Once you learn my business secrets, you will fix the majority of problems in the future.

SQL Server Performance Tuning Practical Workshop

Have you ever opened any PowerPoint deck when you face SQL Server Performance Tuning emergencies? SQL Server Performance Tuning Practical Workshop is my MOST popular training with no PowerPoint presentations and 100% practical demonstrations.

Essentially I share my business secrets to optimize SQL Server performance.