none
Setting up SPNs for kerberos

    Question

  • I am trying to set up SPNs for my SharePoint farm. I have been researching SPNs for a bit now, but have some questions

    1. Is it ok to have multiple domain accounts that go to the same location? For example, I have a web app pool account, and a serach account on the same web application, as seen below. I beleive that is not allowed, but I am not sure how I should set the SPN for the app pool, and also for the search account. Am I correct in stating that each server name & web URL must have only one domain account that is used as an SPN, but a domain account can be set to multiple server names & web URLs?

    setspn.exe –A HTTP/spweb1 domain\service_sharepoint
    setspn.exe –A HTTP/spweb1.mydomain.com domain\service_sharepoint
    setspn.exe –A HTTP/spweb2 domain\service_sharepoint
    setspn.exe –A HTTP/spweb2.mydomain.com domain\service_sharepoint
    setspn.exe –A HTTP/spapp1 domain\service_sharepoint
    setspn.exe –A HTTP/spapp1.mydomain.com domain\service_sharepoint
    setspn.exe –A HTTP/sharepoint domain\service_sharepoint_app
    setspn.exe –A HTTP/sharepoint.domain.com domain\service_sharepoint_app
    setspn.exe –A HTTP/sharepoint domain\service_sharepoint_search
    setspn.exe –A HTTP/sharepoint.domain.com domain\service_sharepoint_search

    2. I have a SQL cluster. Do I want to set the SPNs to point to each individual SQL server in the cluster, or the cluster name?
     

    setspn.exe –A MSSQLSvc/sql1:1433 domain\service_sqlcluster
    setspn.exe –A MSSQLSvc/sql1.mydomain.com:1433 domain\service_sqlcluster
    setspn.exe –A MSSQLSvc/sql2:1433 domain\service_sqlcluster
    setspn.exe –A MSSQLSvc/sql2.mydomain.com:1433 domain\service_sqlcluster
    
    Or:
    
    setspn.exe –A MSSQLSvc/SqlCluster:1433 domain\service_sqlcluster
    setspn.exe –A MSSQLSvc/SqlCluster.mydomain.com:1433 domain\service_sqlcluster
    

     

    Tuesday, December 13, 2011 4:47 AM

Answers

All replies