This project has moved and is read-only. For the latest updates, please go here.

Previous Setup User Rights Manual Install Setup No Windows Global Access Next

Setup SPNs

FineBuild can setup Service Principal Names (SPNs) needed for Kerberos authentication.

The Service Principle Name (SPN) is an endpoint for security purposes. When a program requests a Kerberos security token, it passes the required SPN to the token generator. Depending on which Microsoft product is used to connect to SQL Server, a different SPN is used. This requires that a number of SPNs are created for SQL Server to meet the needs of particular Microsoft products.

It is possible for a user-written application to use a site-specific SPN when it connects to SQL Server, in which case this SPN would also have to be created. There is no advantage in using a site-specific SPN, and there are already what amounts to a confusing number of SPNs used by Microsoft products. It is recommended that user-written applications use one of the Microsoft SPN names.

Security Compliance

The use of SPNs is one of the requiremennts for Kerberos authentication. Kerberos is the most secure authentication mechanism provided by Microsoft and it is recommended that it is used wherever possible. If you setup Security Compliance then Setup SPN processing will always be performed.

FineBuild Setup SPN Processing

Processing of Setup SPN relates to Process Id 1ED in the FineBuild1Preparation script, and is controlled by the parameter below:

Install Parameter Build SQL2005 SQL2008 SQL2008 R2 SQL2012 SQL2014 SQL2016 SQL2017
SetupSPN FULL Yes Yes Yes Yes Yes Yes Yes
SetupSPN WORKSTATION Yes Yes Yes Yes Yes Yes Yes
SetupSPN CLIENT N/A N/A N/A N/A N/A N/A N/A


SQL FineBuild performs setup SPN processing by creating a script and then running it. Creating a SPN requires Windows Account Administrator authority, so if you do not have this authority the script will fail. If the script fails, FineBuild will issue a message showing where the script is located, and you can then send the script file to a Windows Administrator to be run.
Top

Manual Setup SPN Processing

The following steps show what you would have to do to Setup SPN manually. FineBuild does all of this work for you automatically.

A SPN should be created for both the NetBIOS style name and the Fully Qualified Domain Name style variations of the service name, to cater for the different formats that applications may use when connecting to the service. Both variations should always be created.

1) If Analysis Services is being installed, then create the SPNs for Analysis Services, using the commands below:

SETSPN –S MSOLAPSvc.3/FullyQualifiedServerName ServiceAccount
SETSPN –S MSOLAPSvc.3/FullyQualifiedServerName:port ServiceAccount
SETSPN –S MSOLAPSvc.3/NetBiosServerName ServiceAccount
SETSPN –S MSOLAPSvc.3/NetBiosServerName:port ServiceAccount

An example is given below:

SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021.prod.local:2383 PROD\SERVGB_SQL01
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S MSOLAPSvc.3/PDGB01SQLS0021:2383 PROD\SERVGB_SQL01

Notes:
a) If the SPN for the Default instance is being created, use 2383 or the locally assigned value for the port number. For a Named Instance, use the port number for that instance. Do not include the instance name with the server name.
b) If an Analysis Services cluster is being installed as part of a SQL Server Cluster Install, then SPNs without port numbers should be created. Use the same syntax as above, but leave out the port number (i.e. omit the :1433).
2) If SQL Browser is being used to find the Analysis Services instance, then create the SPNs for SQL Browser. See KB 950599 for more details of this requirement.

SETSPN –S MSOLAPDisco.3/FullyQualifiedServerName ServiceAccount
SETSPN –S MSOLAPDisco.3/NetBIOSServerName ServiceAccount

An example is given below:

SETSPN –S MSOLAPDisco.3/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S MSOLAPDisco.3/PDGB01SQLS0021 PROD\SERVGB_SQL01

3) If SQL Server database engine is being installed, then create the SPNs for SQL Server, using the commands below:

SETSPN –S MSSQLSvc/FullyQualifiedServerName ServiceAccount
SETSPN –S MSSQLSvc/FullyQualifiedServerName:portnumber ServiceAccount
SETSPN –S MSSQLSvc/NetBIOSServerName ServiceAccount
SETSPN –S MSSQLSvc/NetBIOSServerName:portnumber ServiceAccount

An example is given below:

SETSPN –S MSSQLSvc/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S MSSQLSvc/PDGB01SQLS0021.prod.local:1433 PROD\SERVGB_SQL01
SETSPN –S MSSQLSvc/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S MSSQLSvc/PDGB01SQLS0021:1433 PROD\SERVGB_SQL01

Notes:
a) If the SPN for the Default instance is being created, use 1433 or the locally assigned value for the port number. For a Named Instance, use the port number for that instance. Do not include the instance name with the server name.
b) If a SQL DB Engine cluster is being installed as part of a SQL Server Cluster Install, then SPNs without port numbers should be created. Use the same syntax as above, but leave out the port number (i.e. omit the :1433).
3) If Report Services is being installed, then create the SPNs for Report Services, using the commands below:

SETSPN –S HTTP/FullyQualifiedServerName ServiceAccount
SETSPN –S HTTP/FullyQualifiedServerName:portnumber ServiceAccount
SETSPN –S HTTP/NetBIOSServerName ServiceAccount
SETSPN –S HTTP/NetBIOSServerName:portnumber ServiceAccount

An example is given below:

SETSPN –S HTTP/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S HTTP/PDGB01SQLS0021.prod.local:80 PROD\SERVGB_SQL01
SETSPN –S HTTP/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S HTTP/PDGB01SQLS0021:80 PROD\SERVGB_SQL01

4) If SSIS Scaleout Master is being installed, then create the SPNs for SSIS Scaleout Master, using the commands below:

SETSPN –S HTTPS/FullyQualifiedServerName ServiceAccount
SETSPN –S HTTPS/FullyQualifiedServerName:portnumber ServiceAccount
SETSPN –S HTTPS/NetBIOSServerName ServiceAccount
SETSPN –S HTTPS/NetBIOSServerName:portnumber ServiceAccount

An example is given below:

SETSPN –S HTTPS/PDGB01SQLS0021.prod.local PROD\SERVGB_SQL01
SETSPN –S HTTPS/PDGB01SQLS0021.prod.local:8391 PROD\SERVGB_SQL01
SETSPN –S HTTPS/PDGB01SQLS0021 PROD\SERVGB_SQL01
SETSPN –S HTTPS/PDGB01SQLS0021:8391 PROD\SERVGB_SQL01

Copyright FineBuild Team © 2017. License and Acknowledgements
Previous Setup Group Rights Top Setup No Windows Global Access Next

Last edited Mar 18 at 1:36 PM by EdVassie, version 1