11

I've set up a SQL Server service account with permissions to read and write service principal names. When SQL Server starts up I get the expected message in the logs showing that the service account has successfully registered the SPN:

The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [MySPN] for the SQL Server service.

Connections to the database server use Kerberos authentication as expected and all seems well.

However, when I shut down SQL Server a message is entered in the logs showing that the SPN could not be deregistered:

The SQL Server Network Interface library could not deregister the Service Principal Name (SPN) [MySPN] for the SQL Server service. Error: 0x6d3, state: 4. Administrator should deregister this SPN manually to avoid client authentication errors.

I've checked that there are no duplicate SPNs and checked that the SPN is registered to the correct service account, and only to that account. The server has been rebooted several times. Microsoft's Kerberos Config Manager doesn't offer any insight.

I don't understand why the service account would be permitted to create the SPN but not permitted to delete it.

paulH
  • 1,102
  • 16
  • 43
  • What version of MS-SQL Server you running? On what operating system? What version of Active Directory? Does this behavior occur each time of is it intermittent? Did it ever properly deregister the SPN in the past? – T-Heron May 26 '19 at 00:26

2 Answers2

1

As per this question You could try repairing the SQL Server installation from Add/Remove Programs in control panel. This will restart the service so you may have to perform this out of hours

SE1986
  • 2,534
  • 1
  • 10
  • 29
0

Are you getting successful SPN messages upon SQL Server restart? If so, then you can ignore this message.

Paul Wehland
  • 114
  • 6