We have Availability Group, and original DNS name that was given to AG Listener, is too long (something like longername-Listener-01.mydomain.com); Its hard for us to change original DNS name of listener at this point
So we simply added new shorter DNS name into DNS server (shortername.mydomain.com), to point to listener's IP address
But the issue is that original long Listener's DNS name, was setup to use Kerberos authentication using Kerberos Configuration Manager tool;
Apparenly this tool simply run command
SetSPN -s "MSSQLSvc/longername-Listener-01.mydomain.com:1433" "MYDOMAIN\SQLSvcAccount"
So currently everyone who connect to original longer DNS name, are connecting to SQL Server using KERBEROS auth_scheme;
And everyone who connect to new shorter DNS name, connecting using NTLM auth_scheme – which we want to avoid
Question:
If we execute following command on Availability Group servers:
SetSPN -s "MSSQLSvc/shortername.mydomain.com:1433" "MYDOMAIN\SQLSvcAccount"
Would it make connections to "shortername.mydomain.com" use KERBEROS auth_scheme instead of NTLM ?
And connections to "longername-Listener-01.mydomain.com" would still be using KERBEROS auth_scheme, too ?
Best Answer
Yes, a SPN is simply telling the client that when it connects to the specified service (MSSQLSvc) on the specified host (shortername.mydomain.com), the specified principal (MYDOMAIN\SQLSvcAccount) will be the owner of the process that it is connecting to. This ensures that the connection will fail if DNS is wrong and it ends up connecting to a process owned by a different principal.