Requesting some inputs..
We have a 2 node SQL 2016 Availability group configured and apps currently use primary replica for connection. We are now planning to use listener instead. Questions is, how to make sure we are using kerberos authentication for application connectiions?. Is it mandatory to manually register SPN for the listener? or is it automatically created?. is this a one time activity?. How to make sure SPN is registered automatically for the listener when the AG restarts or failover to second node?. Appreciate all the responses.
Best Answer
If you configure the listerner with a domain admin account it should be automatic but usually it is not enough.
It's better to have full control of what you are doing. First thing to remember is that an spn is a registration done on the domanin compunter account or domain user account that is running sql server service. While it is the same for both nodes, you have to do only one registration.
Check existing spn for your system:
or
Then you can register a listener in this way:
It's better to register both listener name and listener FQDN to be sure to match less precise application configurations.
The same commands with computer accounts:
To register spn you have to be domain admin.
A Microsoft tool that can help you if Microsoft Kerberos Configuration Manager for SQL Server:
https://www.microsoft.com/en-us/download/details.aspx?id=39046
Once everything is on place you don't have to do anyting else unless you change something like serfice users, listener names and/or ports