I have a question about how to manually set SPN for using Kerberos authentication on a SQL cluster.
Do I set one SPN on the clustername or one on each node?
I also have a default named instance, do i specify the name of the instance?
Best Answer
To create a SPN for a SQL FCI, use the FQDN of the FCI instance. For example, if the FCI name is "SQLFCI1" on the contoso domain and it listens on port 22000 with domain account SQLSvcAcct then the spn would be: setspn -s MSSQLSvc/SQLFCI1.contoso.com:22000 Contoso\SQLSvcAcct
The error message you're seeing, 0x80090350, is defined as:
c:\util\Err>err 0x80090350
# for hex 0x80090350 / decimal -2146892976 :
SEC_E_DOWNGRADE_DETECTED winerror.h
# The system detected a possible attempt to compromise
# security. Please ensure that you can contact the server
# that authenticated you.
# 1 matches found for "0x80090350"
According to the information in this post, this error is often caused by the MaxTokenSize issue caused by an account (indirectly or directly) being a member of a large number of groups.
Another possibility I'd consider is that a duplicate SPN exists. You can determine which SPNs Windows thinks are duplicates by running setspn -X -F (info here).
You specifically get error "0x21c7, state: 15" when an attempt is made to register the SPN which already exists, but possibly under different account.
When you run SQL Service under local system account, an SPN is registered under the Computer Object in AD. You can confirm from below:
setspn -l ComputerName
In above results, If you see any SPNs for MSSQLSvc then they need to be dropped with below commands on AD (You need to have Domain Admin permissions for this) so that you can then register SPN under new Service account:
setspn -d MSSQLSvc/FQDN:XXXXXXXXXX ComputerName
Once the above is done, restart SQL Service under the Service Account adn it should successfully register the SPN under the new Service account and you will be able to confirm by running the below command:
Best Answer
To create a SPN for a SQL FCI, use the FQDN of the FCI instance. For example, if the FCI name is "SQLFCI1" on the contoso domain and it listens on port 22000 with domain account SQLSvcAcct then the spn would be:
setspn -s MSSQLSvc/SQLFCI1.contoso.com:22000 Contoso\SQLSvcAcct
If you don't want to deal with doing this by hand there is a great tool provided by Microsoft for this.