SCOM – Alert: SQL Server Cannot Authenticate Using Kerberos Because the Service Principal Name (SPN) is Missing, Misplaced, or Duplicated

SQL
1 Comment

This blog explains what needs to be done when there are tools which can monitor and report issue about SPNs. Once a client informed that SCOM (System Center Operations Manager) is connected to the databases on SQL Server and raising below warning regarding the SQL Server (Service Principal Name) SPNs:

SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.

Service Account: SQLAUTHORITY\ProdSQLSrv

Missing SPNs: MSSQLSvc/SAPSQLSERVER.SQLAUTHORITY.NET:SAP, MSSQLSvc/ SAPSQLSERVER.SQLAUTHORITY.NET:1433

Here is the screenshot for the alert.

Whenever I see errors/warning related to SPN, I always try to use Kerberos Configuration Manager tool.

WORKAROUND/SOLUTION

It is important to note that this is an alert not a failure because SPN issue will not cause every connection to fail. It means that any application, which is trying to use Kerberos authentication is going to fail with errors:

  1. Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’
  2. Cannot generate SSPI context

I downloaded the tool and installed in on the server. As soon we are launching the tool, we can just hit connect. The best piece about this tool is that it can help in finding missing SPN and provide script to run or fix it directly if you have permission. Basically, it can

  • Gather information on OS and Microsoft SQL Server instances installed on a server.
  • Report on all SPN and delegation configurations on the server.
  • Identify potential problems in SPNs and delegations.
  • Fix potential SPN problems.

If you are not a fan of a installing tool on the server then you can use SETSPN.exe to set the correct SPNs. Based on above error, here is the command.

setspn -A MSSQLSvc/ SAPSQLSERVER.SQLAUTHORITY.NET:1433 SQLAUTHORITY\ProdSQLSrv

Note that we need to run above line from an elevated command prompt with an account with domain admin permissions. We ran the command and after a minute we got the message all was fine. And as expected, the alerts don’t come back anymore.

Reference: Pinal Dave (https://blog.sqlauthority.com)

Menu
Exit mobile version