none
Delegating Rights to register SPNs not working

All replies

  • Hi,

    When i try to delegate the right for serviceaccounts to register their SPNs for SQL (2014) it is not working.

    I followed this article:
    https://www.myotherpcisacloud.com/post/delegating-the-permissions-for-service-accounts-to-dynamically-register-their-own-spns-274 
    and tried with this command:
    dsacls <DistinguishedName_of_Service_Account> /G SELF:RPWP;”servicePrincipalName”

    But when i go to the "Effective Permissions" in ADSIEdit the "Write servicePrincipalName" is not checked. And the SQL SVC account is failing to register its SPNs.

    Any Ideas?

    >>>I suggest you try to run dsacls <distinguished_Name_of_service_account> to check if the account has the permission of Write ServicePrincipalName. If the output like below, it means the self account has the Write ServicePrincipalName permission.

    Allow NT Authority\SELF SPECIAL ACCESS for Validated Write to Service principal name
    WRITE PROPERTY

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 22, 2017 12:30 PM
    Moderator
  • Thanks for your reply the output of the command is:

    Allow NT AUTHORITY\SELF               SPECIAL ACCESS for Validated write to service principal name
                                          WRITE PROPERTY
                                          READ PROPERTY

    Still is the SQL service failing to register the SPNs

    Regards Menzo

    Thursday, February 23, 2017 10:02 AM
  • Hi,

    As far as I know, this means that the serviceaccount has the permission write property.

    Try to delegate the permission on ADSI Edit.

    Here is an article below may be helpful to you.

    http://www.dbaglobe.com/2015/08/fix-service-principal-name-spn-for-sql.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay GuModerator Tuesday, February 28, 2017 2:58 PM
    • Unproposed as answer by Menzo Thursday, March 2, 2017 7:25 AM
    Saturday, February 25, 2017 4:38 AM
    Moderator
  • Thanks for your reply

    That is the normal procedure that you refer to, and that is what i tried first. I know it should be working like that but it is not for our environment. Also in our test environment the behaviour is the same as in production.

    It looks like there is some kind of inheretance that removes the right

    Regards Menzo

    Thursday, March 2, 2017 7:25 AM
  • Hi,

    Try to delegate the permission manually in ADSI Edit as mentioned above. Then to check if the SQL service register SPN.

    And here is an article below about SQL fail to register SPN for your reference.

    https://blogs.technet.microsoft.com/mdegre/2009/11/08/the-sql-network-interface-library-was-unable-to-register-spn/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, March 2, 2017 8:36 AM
    Moderator
  • I tried that manually with 4 svc accounts

    It is not working

    Regards Menzo

    Thursday, March 2, 2017 9:09 AM