SQL Server – Cannot Register SPN, Error 0x80090350, State 4

active-directoryauthenticationkerberossql serversql-server-2008-r2

This is my first time trying to configure kerberos. I need it for SQL Server.

Considerations

I'm running SQL Server 2008 R2 on Windows 2008 R2 server.
I have an Active Directory account for SQL Server 2008 R2.
The account is delegated for kerberos.
The account is configured to start SQL Server services. This works without problems.
SPNs are registered for both netbios and FQDN for computername and also computername:1433.
The same SPNS are registered for the server and the account.

I mean, if I do

setspn -L domain\serviceaccount

setsqpn -Q MSSSQLSvc/Server.domain.local,

I get

MSSQLSvc/Server:1433

MSSQLSvc/Server.domain.local

MSSQLSvc/Server.domain.local:1433

When I run this query:

select auth_scheme 
  from sys.dm_exec_connections 
 where session_id=@@spid

…the result is NTLM.

This query I'm running from another server, connecting to the SQL Server that I need to use Kerberos on.

When I restart SQL Server services I see this error in the log:

The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x80090350, state: 4. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

Any idea what I'm missing?

Best Answer

The error message you're seeing, 0x80090350, is defined as:

c:\util\Err>err 0x80090350

# for hex 0x80090350 / decimal -2146892976 :
  SEC_E_DOWNGRADE_DETECTED                                        winerror.h
# The system detected a possible attempt to compromise
# security.  Please ensure that you can contact the server
# that authenticated you.
# 1 matches found for "0x80090350"

I'm looking this up with the Exchange Error Lookup Tool.

According to the information in this post, this error is often caused by the MaxTokenSize issue caused by an account (indirectly or directly) being a member of a large number of groups.

Another possibility I'd consider is that a duplicate SPN exists. You can determine which SPNs Windows thinks are duplicates by running setspn -X -F (info here).

Related Solutions

SQL Server – SPN and AD Computer Delegation for Linked Server

There is only a single kind of Service Principal Name you need for SQL Server.

MSSQLSvc/<servername>:<portname>

It is typically necessary to implement this twice, one for the short name, and one for the long name. If, for instance, the SQL Server is named "SQLServer1.somedomain.com" and was running on port 1433, then you'd need:

MSSQLSvc/SQLServer1.somedomain.com:1433
MSSQLSvc/SQLServer1:1433

The computer account for SQLServer1.somedomain.com in Active Directory should be granted the ability to delegate security. Once that is working correctly, you can confirm Kerberos authentication is working by looking at:

SELECT InstanceName = @@SERVERNAME
    , InstancePortNumber = dec.local_tcp_port
    , dec.auth_scheme
FROM sys.dm_exec_connections dec
WHERE dec.session_id = @@SPID;

If this shows Kerberos in the auth_scheme column, then Kerberos authentication is working. If you have a second SQL Server at the other end of a linked server, you can run that query over the linked server:

DECLARE @cmd NVARCHAR(MAX);
SET @cmd = 'SELECT InstanceName = @@SERVERNAME
    , InstancePortNumber = dec.local_tcp_port
    , dec.auth_scheme
FROM sys.dm_exec_connections dec
WHERE dec.session_id = @@SPID;
';
EXEC [linked_server_name].tempdb.sys.sp_executesql @cmd;

The error message makes me think you're seeing a problem with file share permissions - when using Kerberos SQL Server will impersonate you when accessing the SMB share - therefor your account needs access to it.

Sql-server – The SQL Server Network Interface library could not register the Service Principal Name (SPN)

You specifically get error "0x21c7, state: 15" when an attempt is made to register the SPN which already exists, but possibly under different account.

When you run SQL Service under local system account, an SPN is registered under the Computer Object in AD. You can confirm from below:

setspn -l ComputerName

In above results, If you see any SPNs for MSSQLSvc then they need to be dropped with below commands on AD (You need to have Domain Admin permissions for this) so that you can then register SPN under new Service account:

setspn -d MSSQLSvc/FQDN:XXXXXXXXXX ComputerName

Once the above is done, restart SQL Service under the Service Account adn it should successfully register the SPN under the new Service account and you will be able to confirm by running the below command:

setspn -l DomainName\LoginName

Reference: http://www.b-blog.info/en/changing-service-account-for-ms-sql-server-2012-and-the-following-issues.html

You could also use Microsoft Kerberos Configuration Manager for SQL Server to automatically detect and fix such SPN Issues:

https://blogs.msdn.microsoft.com/farukcelik/2013/05/21/new-tool-microsoft-kerberos-configuration-manager-for-sql-server-is-ready-to-resolve-your-kerberosconnectivity-issues/

Best Answer

Related Solutions

SQL Server – SPN and AD Computer Delegation for Linked Server

Sql-server – The SQL Server Network Interface library could not register the Service Principal Name (SPN)

Related Question