none
Any reason not to register SQL Server SPN? RRS feed

  • Question

  • Microsoft SQL Server 2008 R2 (SP3) - 10.50.6000.34 (X64)   Aug 19 2014 12:21:34   Copyright (c) Microsoft Corporation  Standard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor) 

    We have SSRS and SSIS connecting to this server for data.

    Is there any reason why I would NOT want to register the SPN?  Any risks in registering it?

    TIA,

    -Peter

    Tuesday, August 6, 2019 9:40 PM

Answers

  • No reason to not register, unless you're unable to make use of it in your environment or don't require double hop authentication. It is more secure than NTLM so the risk is possibly not to have it enabled/used.
    • Marked as answer by peter daniels Wednesday, August 7, 2019 12:06 PM
    Wednesday, August 7, 2019 12:56 AM

All replies

  • No reason to not register, unless you're unable to make use of it in your environment or don't require double hop authentication. It is more secure than NTLM so the risk is possibly not to have it enabled/used.
    • Marked as answer by peter daniels Wednesday, August 7, 2019 12:06 PM
    Wednesday, August 7, 2019 12:56 AM
  • Hi Peter,

    >>Is there any reason why I would NOT want to register the SPN?  Any risks in registering it?

    For Kerberos authentication to connect to a SQL Server instance, Service Principal Names (SPNs) must be properly configured in AD. If we want to use Kerberos authentication, there is no reason for not registering SPN.  In a situation in an AD network when Kerberos can’t be used, then the older and less secure NTLM authentication protocol is used instead. There are many situations where the end user will not be able to access the resources they need with NTLM. This is especially true when more than one network resource is involved with the request (double-hop), such as is often the case with SSRS (SQL Server Reporting Services) or a linked server.

    If the resources are located within the same physical server or virtual machine, then Kerberos authentication is not required. In this case, the identity of the requester is just needed on one server. Typically, an SSRS server runs reports that need data from many servers across the network. Even if that’s not the case, SSRS is often installed on its own server for performance reasons. This is that double-hop issue I mentioned earlier.

    Please refer to Why is Kerberos needed for SQL Server and Can’t I just avoid using Kerberos to get more information.

    For any risks in registering SPN, did you mean the issues occurred during registering SPN sometimes? If I misunderstood, please let me know. We can provide a link for Common issues and Workaround, but you must to find the definite reason in error log when the issue occurred.

    Best regards,
    Cathy Ji

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to  MSDN Support, feel free to contact MSDNFSF@microsoft.com

    • Proposed as answer by YKN123 Thursday, August 8, 2019 1:43 AM
    Wednesday, August 7, 2019 2:10 AM