Monday, March 19, 2012

Manually configuring SPN when SQL Service account is local non-adm

Hi,
We are running SQL Server 2005 with a local low-privileged service account.
I would like to register the SPN (manually) to enable kerberos authentication.
The domain admin gets the error message "Unable to locate account <Service
Account Name>" when running the setspn command.
I can only find examples for configuring the SPN when the SQL Service
account is a (non-admin) domain user account or a local administrator account.
Does anyone know whether it is possible or not to enable kerberos
authentication when running SQL Server 2005 with a local low-privileged
service account?
Thanks!
Kai A
No. A local account is not an Active Directory account.
-Sue
On Tue, 13 Feb 2007 06:01:02 -0800, Kai A
<KaiA@.discussions.microsoft.com> wrote:

>Hi,
>We are running SQL Server 2005 with a local low-privileged service account.
>I would like to register the SPN (manually) to enable kerberos authentication.
>The domain admin gets the error message "Unable to locate account <Service
>Account Name>" when running the setspn command.
>I can only find examples for configuring the SPN when the SQL Service
>account is a (non-admin) domain user account or a local administrator account.
>Does anyone know whether it is possible or not to enable kerberos
>authentication when running SQL Server 2005 with a local low-privileged
>service account?
>Thanks!
>Kai A
|||Thank your very much for your answer!
However, I do not understand why one can register a local admin account in
AD and not a local low-privileged one? A local admin account is not an AD
account either?
This describes how one can register a local admin sql server service account
in AD:
http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx :
"d. If your sql server is running under a local machine admin account, you
can (...)run setspn under your domain credential to add the SPN."
Thanks!
Kai A
"Sue Hoegemeier" wrote:

> No. A local account is not an Active Directory account.
> -Sue
> On Tue, 13 Feb 2007 06:01:02 -0800, Kai A
> <KaiA@.discussions.microsoft.com> wrote:
>
>
Posted by disintegrateopaz at 10:09 PM
Labels: , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)