Blog Post

SQL Server Blog
1 MIN READ

Released: update for Kerberos Configuration Manager for SQL Server

Pedro Lopes's avatar
Pedro Lopes
Former Employee
Jan 17, 2020

The Kerberos Configuration Manager for SQL Server is a diagnostic tool that helps troubleshoot Kerberos related connectivity issues with SQL Server, SQL Server Reporting Services (SSRS), and SQL Server Analysis Services (SSAS). It can perform the following functions:

  • Collect information about operating system (OS), Microsoft SQL Server instances, and Always On Availability Group Listeners installed on a server.
  • Report all Service Principal Name (SPN) and delegation configurations on the server.
  • Identify potential problems in SPNs and delegations.
  • Fix potential SPN problems.

The new release (v4.2) adds support for SQL Server 2019.

 

You can download the tool here, as well as read its install and usage instructions. 

Updated Jan 17, 2020
Version 3.0

7 Comments

  • TeunvdB's avatar
    TeunvdB
    Copper Contributor

    Pedro Lopes Sorry for the late reponse. We did this last Friday again.

     

     

    10-3-2020 14:45:23 Info: Attempting to fix SPN issue
    10-3-2020 14:45:23 Info: Attempting to remove SPN MSSQLSvc/SERVERNAME.my.domain.com from account eu\GMSAACCOUNT$ on domain my.domain.com .
    10-3-2020 14:45:23 Info: Attempting to add SPN MSSQLSvc/SERVERNAME.my.domain.com for account eu\GMSAACCOUNT$ on domain my.domain.com .
    10-3-2020 14:45:23 Info: Attempting to add SPN MSSQLSvc/SERVERNAME.my.domain.com for account PACCAR-EU\GMSAACCOUNT$ on domain my.domain.com .
    10-3-2020 14:45:24 Info: SPNs appear to be assigned appropriately.
    10-3-2020 14:45:24 Info: Attempting to remove SPN MSSQLSvc/SERVERNAME.my.domain.com:1433 from account eu\GMSAACCOUNT$ on domain my.domain.com .
    10-3-2020 14:45:24 Info: Attempting to add SPN MSSQLSvc/SERVERNAME.my.domain.com:1433 for account eu\GMSAACCOUNT$ on domain my.domain.com .
    10-3-2020 14:45:24 Info: Attempting to add SPN MSSQLSvc/SERVERNAME.my.domain.com:1433 for account PACCAR-EU\GMSAACCOUNT$ on domain my.domain.com .
    10-3-2020 14:45:24 Info: SPNs appear to be assigned appropriately.

    According to SQL Server it is ok:

     

    However when i look in the tool:



    Is this sufficient information ?

     

    Thanks, Teun vd Biggelaar

  • TeunvdB are you using an admin account to run the tool? Check the logs under %APPDATA%\Microsoft\KerberosConfigMgr and look for “Attempting to remove SPN ..” and “Attempting to add SPN...“ messages, what do you see there?

  • pgriffith's avatar
    pgriffith
    Copper Contributor
    Are there circumstances where SPN with the HOSTNAME/ NETBIOS name is needed along with the default SPNs with Fully Qualified Domain Name (FQDN)? This rumor can be found here https://blogs.msdn.microsoft.com/dataaccesstechnologies/2016/04/27/sqlcmd-2014-fails-to-authenticate-via-kerberos/. Would this also apply when running SQL Server under a domain service account? I have noticed the new release (4.2) refuses to install over the old release, falsely claiming that a newer release is already installed.
  • TeunvdB's avatar
    TeunvdB
    Copper Contributor

    Hi Pedro, 

     

    First of all thank you for the latest version! I've been using this tool for quite some time now and it works great.

    One remark though; If you're using GMSA accounts for your SQL Server this till will set them, and if you run the tool again it will give the status "Misplaced". When you fix it and check again same story...

    When i check it via setspn -l accountname it shows the SPN that was set via the tool...

     

    It would be great if this could be addressed and fixed as well.

     

    Any thoughts about this? 

     

    Thank you.

    Teun