Adding Kerberos SPNs Basics
Some quick steps on how to add SPNs both via the GUI and the SETSPN
NOTE:- Local service account auto creates spn.
For the SQL Server engine it’s a good practice to create 3 SPNS, the standard fqdn with port, one without the port and one that uses the netbios name.
Add a SPN with SETSPN:
SQL Server Engine:
Setspn -s MSSQLSvc/INT-SQL.wellcomeit.com:1433 WELLCOME\INT-SQL_SQL
Setspn -s MSSQLSvc/INT-SQL.wellcomeit.com WELLCOME\INT-SQL_SQL
Setspn -s MSSQLSvc/INT-SQL WELLCOME\INT-SQL_SQL
SQL Server Reporting Services Config
Setspn -s http/DEV-SSRS.BADSEEDS.LOCAL:80 WELLCOME\DEV-SSRS_Reporting
Setspn -s http/DEV-SSRS.BADSEEDS.LOCAL WELLCOME\DEV-SSRS_Reporting
Setspn -s http/DEV-SSRS WELLCOME\DEV-SSRS_Reporting
NOTE :- Update RsReportServer.Config
Add a SPN with ADSI Edit:
Navigate to the service account in ADSI Edit, right click on the account and go to Properties. You will see the below:
Automatically Adding SPNs:
It is possible to have SPNs created automatically via the service accounts. If SQL Server uses the local service accounts (default option when you install SQL Server), SPNs will be created when the instance is started. Its also possible to enable it on the Domain account used for service accounts (Not this will only create 1 SPN –
Setspn -s MSSQLSvc/INT-SQL.wellcomeit.com:1433 WELLCOME\INT-SQL_SQL, and not the others that follow best practise.
Open ADSI Edit navigate to the user account
Select SELF in the Permission Entries then press Edit (Open the Properties Tab)
Scroll down to Write servicePrincipalName
Click OK to close each window.