Sql-server – How to enable both PowerShell Remoting and SPN for SQL Server Reporting

powershellsql serverssrs

I'm struggling with remoting servers with SQL Server Reporting Services running. My Reporting Services are running with individual domain-accounts, and I have set up SPNs for them (HTTP/<Machine> <domain>\<user>). As far as I can see, this effectively disables using PowerShell remoting, since the SPN which WinRM should use points to the domain account used by Reporting Services.

I have no problem running e.g. Get-Service -ComputerName <Machine>, but if I try Get-CimInstance Win32_Service -ComputerName <machine> or Enter-PsSession <machine> I get an error similar to this:

Get-CimInstance : WinRM cannot process the request. The following
error with errorcode 0x80090322 occurred while using Kerberos
authentication: An unknown security error occurred. Possible causes
are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.

After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.

Note that computers in the TrustedHosts list might not be
authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. At line:1 char:1 + Get-CimInstance
win32_service -ComputerName <machine> +
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +
CategoryInfo: AuthenticationError: (root\cimv2:win32_service:String)
[Get-CimInstance], CimException + FullyQualifiedErrorId : HRESULT
0x8033809d,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName : <machine>

If I delete the SPN on one of my servers, then after a few seconds (a bit fast for AD replication?) I can use the above commands, but If I then reset the SPN the commands fail again after a while.

Some of my Reporting Services need to be able to forward credentials, so I hope someone is able to help me solve this dilemma.

Best Answer

I believe we have found the solution. To avoid Reporting Services and WinRM fighting over the HTTP SPN, you can set a port-specific SPN for the WinRM like this:

setspn -S HTTP/<Machine>:<port> <Machine>

It's a good idea to create SPNs for both short machine name and the FQDN.
The default port is 5985 for HTTP and 5986 for HTTPS, but I believe it can be set up to use different ports.

When using WinRM, I just set up a session like this:

$CimSessionOption = New-CimSessionOption -EncodePortInServicePrincipalName
$CimSession = New-CimSession -Name ServiceSession -SessionOption $CimSessionOption -ComputerName <Machine>
Get-CimInstance Win32_Service -CimSession $CimSession

Why does a reboot of the server sometimes fix this issue?

I think the OS has an issue talking with the DC (for whatever reason(s) you determine) and when this happens, it just gets out of sync somehow with DC, AD, etc. and a quick fix is to reboot the SQL Server OS when this occurs and there is no network communication with the DC at the time of the reboot, and all comes up fine with everything back in sync at that point. To accurately answer this, you probably need to find the reason first.

Proving that [the] Domain Controller(s) is/are or is/are not the issue

1. Troubleshoot & Consider

I'm not suggesting you make a bunch of changes before trying to find and fix the specific problem beforehand but there are many factors to consider I would think. It's just something you have to troubleshoot one step at a time unless there's something obvious causing the issue.

2. Access Perspective

In my setup, I'm the domain admin as well as the DBA so I have access to everything and all servers (two domains with two-way trusts) to troubleshoot at all levels whereas you may be a bit more restricted with what you can review, etc. on each server in the loop of the issue.

3. No Simple Oversight

I usually start with the simple items first that don't require changes and see if there are any obvious issues (e.g. event viewers on all servers, DNS testing on all servers, review all server configurations, etc.).

4. No Telling Logic

This could be an issue at the OS level of the SQL Server for the Windows version it is on. This could also be an issue with the NIC of the SQL Server or a mis-configuration of TCP/IP or DNS settings on the SQL Server or any of your DCs.

5. Collect & Update

Gather information on or ensure the SQL Server is fully updated with Windows Updates, and ensure server firmware is up-to-date if applicable with BIOS version as well as any hardware device firmware updates. The domain admins could also do the same on the DCs but use caution with making a bunch of changes and do so one step at a time.

6. Best Practices

I'm not sure how your AD and DCs are configured topology wise, but best practices should be followed as best as possible and a DC should be close to the network where both domains are physically rather than going across a slower network pipe or routers, etc. which adds another level where there could be issues or configurations to review.

The DCs should have their TCP/IP settings configured so that their DNS settings point to other DNS servers or follow best practices otherwise as per Microsoft for the DCs configurations applicable in your environment.

7. Request Access or Configuration Disclosure Assistance

You'll need to do basic troubleshooting to find the issues to resolve, ask questions, see what all could be updated and patched or changed, and get your domain admins to help you troubleshoot or disclose domain configurations to you if you're not sure how to see if everything is configured as best it could be for optimum performance and per best practices.

Important: This not to say there couldn't be a very simple reason this suddenly happened but if nothing has changed anywhere (i.e. OS on DCs or SQL Server, network configurations, AD or forest functional levels, hardware upgrades, Windows Updates, etc.) then you just have to troubleshoot for the reason why one step at a time.

Sql-server – Cannot register SPN, error 0x80090350, state 4

The error message you're seeing, 0x80090350, is defined as:

c:\util\Err>err 0x80090350

# for hex 0x80090350 / decimal -2146892976 :
  SEC_E_DOWNGRADE_DETECTED                                        winerror.h
# The system detected a possible attempt to compromise
# security.  Please ensure that you can contact the server
# that authenticated you.
# 1 matches found for "0x80090350"

I'm looking this up with the Exchange Error Lookup Tool.

According to the information in this post, this error is often caused by the MaxTokenSize issue caused by an account (indirectly or directly) being a member of a large number of groups.

Another possibility I'd consider is that a duplicate SPN exists. You can determine which SPNs Windows thinks are duplicates by running setspn -X -F (info here).

Best Answer

Related Solutions

Sql-server – SQL Server and SSPI handshake failed error

Why does a reboot of the server sometimes fix this issue?

Proving that [the] Domain Controller(s) is/are or is/are not the issue

Sql-server – Cannot register SPN, error 0x80090350, state 4

Related Question