The Cluster Service Account may lack the proper access rights to Active Director and Enable Kerberos Authentication

I was wondering if someone can provide me quick 101 or some references that explain Cluster SQL Server Network, AD and Kerberos Authentication.  Background:

I have created a 2 node MS 2K3 Cluster with SQL2K8 test system.  When I first attempted to bring the SQL Network Name online, the following error occurred.

Event Type:      Error
Event Source:      ClusSvc
Event Category:      Network Name Resource
Event ID:      1194
Date:            10/16/2010
Time:            3:10:08 AM
User:            N/A
Computer:      ComputerName

The computer account for Cluster resource 'SQL Network Name (SQLNetworkName)' in domain domain.corp could not be created for the following reason: Unable to create computer account.
The text for the associated error code is: Access is denied.

The Cluster Service Account may lack the proper access rights to Active Directory. The domain administrator should be contacted to assist with resolving this issue.

I disabled the Kerberos Authentication and the SQL Network Name and subsequently the SQL server cluster was able to be put online with no errors.  I am not experienced with AD and our domain administrator is not very accommodating with knowledge or assistance.  Clearly, I understand the “Sql Network Name” is not in our Domain.  

But, I am uncertain what AD constructs\component should be created?  

Also, I understand basically Kerberos Authentication is a security\authentication protocol (challenge\response model).  It appears there is dependence between AD and SQL Network Name?  I assume this option enable will require fully qualified entry SQL Network Name in our Corp domain for it to work?  

Last, what are the system risks if Kerberos Authentication is not enabled…could this impact testing applications in the cluster?  Essentially, I do not want to cause issues by not correctly implementing the SQL Cluster.

Any info or reference would be greatly appreciated and thanks in advance.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does the SQL service account have rights to add computers to the domain? It will need to add a computer object for the cluster name.
dmaxITAuthor Commented:
Hi Thanks for the response.

No the service account used by the SQL Service does not have permission to add the SQL cluster (Network Name) to the domain, hence, the event error and it prevent the SQL cluster from being put "online."  

However, once the Kerberos authentication was disabled for the "SQL Network Name" cluster resource the this resource and the SQL server cluster on able to be put "Online".
You need the cluster computer object in AD for Kerberos, either the services account can create it or it can be created by the AD admin. You will also need the correct SPNs created.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dmaxITAuthor Commented:
Thanks for the assistance,  We will not be using\implementing Kerberose authentication.
dmaxITAuthor Commented:
Thanks for the assistance,  We will not be using\implementing Kerberose authentication. I was looking for confirmation on why Kerberose would be needed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.