SQL Server 2008 Cluster installation

Posted on 2009-12-23
Last Modified: 2012-05-08
To build a SQL Server 2008 Cluster on Windows 2008 Server, is it mandatory to create the SPNs for the SQL Service account if I don't want to use the Kerberos authentication? Or, SPNs need to be created only if we use Kerberos authentication?

Do we get the error given at the below link if we don't create SPNs before the installation irrespective of whether we are going to use Kerberos or not?
Question by:Srinivas_Vengala
    LVL 26

    Accepted Solution

    I've installed SQL2008 in a cluster some times and never manually created SPNs...
    So probably this will work in your case too ;)
    LVL 13

    Expert Comment

    From what I'm aware of; if you are in a kerberos environment, when SQL is installed, it should create a SPN for you for the Cluster Name, not the individual node names, so you should be OK.

    LVL 5

    Expert Comment

    As a SQL Server Preparation for SQL 2008 cluster Setup it is mandatory to create the SPNs for the SQL Service account if you don't want to use the Kerberos authentication also

    If you configure a domain user account to run the SQL Server service instead of the local system account (SQL Server best practice), a Service Principal Name (SPN) must be configured for the domain user account in Active Directory Domain Services. For more information about configuring a SQL Server service account SPN in Active Directory Domain Services, See the link:
    How to Configure an SPN for SQL Server Site Database Servers
    Running the SQL Server service using the local system account of the SQL Server computer is not a SQL Server best practice. For the most secure operation of SQL Server site database servers, a low rights domain user account should be configured to run the SQL Server service.
    A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication. The SetSPN utility can be used to register an SPN for the site database server SQL Server service account. The SetSPN utility must be run on a computer that resides in the SQL Server's domain and it must be run using Domain Administrator credentials. To properly configure an SPN for the SQL Server service account using the SetSPN utility, follow the steps in these procedures.
    To use the SetSPN utility, or to open an ADSIEdit MMC console, you must first install the Microsoft Windows Server support tools. These tools are included in the support tools folder on both Windows 2000 Server and Windows Server 2003 CDs. To install the Windows Server support tools, navigate to \SUPPORT\TOOLS\ on the server's installation CD and run suptools.msi.
    To manually create a domain user Service Principle Name (SPN) for the SQL Server service account
    1.      Click Start, click Run and then enter cmd in the Run dialog box.
    2.      From the command line, navigate to Windows Server support tools installation directory. By default, these tools are located in the C:\Program Files\Support Tools directory.
    3.      Enter a valid command to create the SPN. The command should be in the form of: setspn A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>.
    The command to register an SPN for a SQL Server named instance is the same as that used when registering an SPN for a default instance except that the port number should match the port used by the named instance.
    4.      Verify that the command completed successfully by reviewing the commands output for the updated object line.
    To verify the domain user SPN is registered correctly using the ADSIEdit MMC console
    1.      Click Start, click Run, and enter adsiedit.msc to launch the ADSIEdit MMC console.
    2.      If necessary, connect to the site server's domain.
    3.      In the console pane, expand the site server's domain, expand DC=<server distinguished name>, expand CN=Users, and right-click CN=<Service Account User>. On the context menu, click Properties.
    4.      In the CN=<Service Account User> Properties dialog box, review the servicePrincipalName value to ensure that a valid SPN has been created and associated with the correct SQL Server.
    To change the SQL Server service account from local system to a domain user account
    1.      Create or select a domain or local system user account that will be used as the SQL Server service account.
    2.      Open SQL Server Configuration Manager.
    3.      Click SQL Server 2005 Services and then double click SQL Server<INSTANCE NAME>.
    4.      On the Log on tab, select This account and enter the user name and password for the domain user account created in step 1 or click Browse to find the user account in Active Directory and then click Apply.
    5.      Click Yes on the Confirm Account Change dialog box to confirm the service account change and restart the SQL Server Service.
    6.      Click OK after the service account has been successfully changed.


    Author Comment

    rk_india1: I was able to install SQL Server 2008 cluster without manually creating the SPNs. After the installation I have checked in the Active Directory whether SQL cluster installation has created the SPNs automatically by using the ADSIEdit. There were no SPNs created for the SQL Server service domain account. All the connections to that SQL Cluster are using NTLM authentication. So, does it mean that if we don't want Kerberos for the SQL Cluster, we do not need to create the SPNs?
    LVL 5

    Expert Comment

    yes if we want to use the Karberos authentication that time Valid SPN creation is must either Kerberos authentication is not performed. At that point, the SSPI layer switches to an NTLM authentication mode and the logon uses NTLM authentication and typically succeeds.

    If the SQL Server driver forms an SPN that is valid but is not assigned to the appropriate container, it tries to use the SPN but cannot, causing a "Cannot generate SSPI context" error message.

    Please have a look on the link which give you the clear idea about the SPN used:

    Author Closing Comment

    Expected an article which confirms the statement.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    SQL Server engine let you use a Windows account or a SQL Server account to connect to a SQL Server instance. This can be configured immediatly during the SQL Server installation or after in the Server Authentication section in the Server properties …
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through the process of upgrading their existing Backup Exec 2012 to 2014. Either install the CD\DVD into the drive and let it auto-start, or browse to the drive and double-click the Browser file: Select the ap…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now