-
Notifications
You must be signed in to change notification settings - Fork 10
Setup SPNs
| Previous Setup Kerberos | Manual Install | Setup Constrained Delegation Next |
|---|
FineBuild can setup Service Principal Names (SPNs) needed for Kerberos authentication.
The Service Principle Name (SPN) is an endpoint for security purposes. When a program requests a Kerberos security token, it passes the required SPN to the token generator. Depending on which Microsoft product is used to connect to SQL Server, a different SPN is used. This requires that a number of SPNs are created for SQL Server to meet the needs of particular Microsoft products.
It is possible for a user-written application to use a site-specific SPN when it connects to SQL Server, in which case this SPN would also have to be created. There is no advantage in using a site-specific SPN, and there are already what amounts to a confusing number of SPNs used by Microsoft products. It is recommended that user-written applications use one of the Microsoft SPN names.
The use of SPNs is one of the requiremennts for Kerberos authentication. Kerberos is the most secure authentication mechanism provided by Microsoft and it is recommended that it is used wherever possible. If you setup Security Compliance then Setup SPN processing will always be performed.
The Setup No Windows Global Access Configuration can be enforced by Group Policy Management.
Processing of Setup SPN relates to Process Id 1ED in the FineBuild1Preparation script, and is controlled by the parameter below:
| SQL Version | Parameter | FULL Build | WORKSTATION Build | CLIENT Build |
|---|---|---|---|---|
| SQL2019 | /SetupSPN: | Yes | Yes | N/A |
| SQL2017 | /SetupSPN: | Yes | Yes | N/A |
| SQL2016 | /SetupSPN: | Yes | Yes | N/A |
| SQL2014 | /SetupSPN: | Yes | Yes | N/A |
| SQL2012 | /SetupSPN: | Yes | Yes | N/A |
| SQL2008R2 | /SetupSPN: | Yes | Yes | N/A |
| SQL2008 | /SetupSPN: | Yes | Yes | N/A |
| SQL2005 | /SetupSPN: | Yes | Yes | N/A |
SQL FineBuild Setup SPN Processing includes the following:
SQL FineBuild performs setup SPN processing by creating a script and then running it.
Creating a SPN requires Windows Account Administrator authority, so if you do not have this authority the script will fail. If the script fails, FineBuild will issue a message showing where the script is located, and you can then send the script file to a Windows Administrator to be run.
The following steps show what you would have to do to Setup SPN manually. FineBuild does all of this work for you automatically.
A SPN should be created for both the NetBIOS style name and the Fully Qualified Domain Name style variations of the service name, to cater for the different formats that applications may use when connecting to the service. Both variations should always be created.
Manual Manual Setup SPN Processing includes the following:
If Analysis Services is being installed, then create the SPNs for Analysis Services, using the commands below:
SETSPN –S MSOLAPSvc.3/FullyQualifiedServerName ServiceAccount
SETSPN –S MSOLAPSvc.3/FullyQualifiedServerName:port ServiceAccount
SETSPN –S MSOLAPSvc.3/NetBiosServerName ServiceAccount
SETSPN –S MSOLAPSvc.3/NetBiosServerName:port ServiceAccount
An example is given below:
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021.prod.local:2383 PROD\SERVGB_SQL01
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021:2383 PROD\SERVGB_SQL01
Notes:
- If the SPN for the Default instance is being created, use 2383 or the locally assigned value for the port number.
- For a Named Instance, use the port number for that instance. Do not include the instance name with the server name.
- If an Analysis Services cluster is being installed as part of a SQL Server Cluster Install, then SPNs for the AS Cluster Name (eg PDGB01SQLC01ASA) but without port numbers should be created. Use the same syntax as above, but leave out the port number (i.e. omit the :2383).
If you are installing a Named Instance of Analysis Services then SQL Browser is always required in order to find the instance. In this situation create the following SPNs for SQL Browser. See KB950599 for more details of this requirement.
SETSPN –S MSOLAPDisco.3/FullyQualifiedServerName ServiceAccount
SETSPN –S MSOLAPDisco.3/NetBIOSServerName ServiceAccount
An example is given below:
SETSPN –S MSOLAPDisco.3/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S MSOLAPDisco.3/PDGB01SQLS0021 PROD\SERVGB_SQL01
If SQL Server database engine is being installed, then create the SPNs for SQL Server, using the commands below:
SETSPN –S MSSQLSvc/FullyQualifiedServerName ServiceAccount
SETSPN –S MSSQLSvc/FullyQualifiedServerName:portnumber ServiceAccount
SETSPN –S MSSQLSvc/NetBIOSServerName ServiceAccount
SETSPN –S MSSQLSvc/NetBIOSServerName:portnumber ServiceAccount
An example is given below:
SETSPN –S MSSQLSvc/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S MSSQLSvc/PDGB01SQLS0021.prod.local:1433 PROD\SERVGB_SQL01
SETSPN –S MSSQLSvc/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S MSSQLSvc/PDGB01SQLS0021:1433 PROD\SERVGB_SQL01
Notes:
- If the SPN for the Default instance is being created, use 1433 or the locally assigned value for the port number
- For a Named Instance, use the port number for that instance. Do not include the instance name with the server name.
- If a SQL DB Engine cluster is being installed as part of a SQL Server Cluster Install, then SPNs for the SQL Cluster Name (eg PDGBSQLC01DBA) but without port numbers should be created. Use the same syntax as above, but leave out the port number (i.e. omit the :1433).
- If Always On is being configured, then SPNs for the AO Listerner Name (eg PDGB01SQLC01AOA) and including port numbers should be created. Use the same syntax as above, including the port number.
If Report Services is being installed, then create the SPNs for Report Services, using the commands below:
SETSPN –S HTTP/FullyQualifiedServerName ServiceAccount
SETSPN –S HTTP/FullyQualifiedServerName:portnumber ServiceAccount
SETSPN –S HTTP/NetBIOSServerName ServiceAccount
SETSPN –S HTTP/NetBIOSServerName:portnumber ServiceAccount
An example is given below:
SETSPN –S HTTP/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S HTTP/PDGB01SQLS0021.prod.local:80 PROD\SERVGB_SQL01
SETSPN –S HTTP/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S HTTP/PDGB01SQLS0021:80 PROD\SERVGB_SQL01
Notes:
- If a Report Services cluster is being installed as part of a SQL Server Cluster Install, then SPNs for the Report Services Cluster Name (eg PDGB01SQLC01RS) should be created. Use the same syntax as above, including the port number.
- If a Report Services Alias is being configured, then SPNs should also be created for the Alias. Use the same syntax as above, including the port number.
If SSIS Scaleout Master is being installed, then create the SPNs for SSIS Scaleout Master, using the commands below:
SETSPN –S HTTPS/FullyQualifiedServerName ServiceAccount
SETSPN –S HTTPS/FullyQualifiedServerName:portnumber ServiceAccount
SETSPN –S HTTPS/NetBIOSServerName ServiceAccount
SETSPN –S HTTPS/NetBIOSServerName:portnumber ServiceAccount
An example is given below:
SETSPN –S HTTPS/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S HTTPS/PDGB01SQLS0021.prod.local:8391 PROD\SERVGB_SQL01
SETSPN –S HTTPS/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S HTTPS/PDGB01SQLS0021:8391 PROD\SERVGB_SQL01
Copyright FineBuild Team © 2017 - 2021. License and Acknowledgements
| Previous Setup Kerberos | Top | Setup Constrained Delegation Next |
|---|
Key SQL FineBuild Links:
SQL FineBuild supports:
- All SQL Server versions from SQL 2019 through to SQL 2005
- Clustered, Non-Clustered and Core implementations of server operating systems
- Availability and Distributed Availability Groups
- 64-bit and (where relevant) 32-bit versions of Windows
The following Windows versions are supported:
- Windows 2022
- Windows 11
- Windows 2019
- Windows 2016
- Windows 10
- Windows 2012 R2
- Windows 8.1
- Windows 2012
- Windows 8
- Windows 2008 R2
- Windows 7
- Windows 2008
- Windows Vista
- Windows 2003
- Windows XP