Article ID: 950599 - View products that this article applies to.
Consider the following scenario. You establish a connection to a named instance of Microsoft SQL Server Analysis Services or of Microsoft SQL Server. Then, the SQL Server Browser service determines the port on which the named instance is available. The connection uses Kerberos authentication. In this scenario, a service principle name (SPN) for the SQL Server Browser service is required in addition to the SPN for the named instance of Analysis Services or of SQL Server. If the SPN for the SQL Server Browser service does not exist, Kerberos authentication fails.
This behavior occurs only when the connection string contains the SSPI=Kerberos parameter. In this case, the connection is forced to use Kerberos authentication, and the SPN for the SQL Server Browser service must be configured.
If the connection string does not contain the SSPI=Kerberos parameter, Kerberos authentication is typically used. The connection to the SQL Server Browser service uses NTLM and the NT_ANONYMOUS account instead. In this case, the connection to the SQL Server Browser service is successful. The SQL Server Browser service determines the correct port. Then, the actual database connection uses Kerberos authentication to provide the true authentication.
You must create an SPN for the SQL Server Browser service by using the account under which the SQL Server Browser service is running.
The format of a NetBIOS SPN is as follows:
MSOLAPDisco.3/serverHostNameThe format of a fully qualified domain name SPN is as follows:
How to Register SPNYou must be a member of the Domain Administrators group to run the Setspn command.
To create the SPN for the Browser Service that is running under Domain Account, run the following commands at a command prompt:
Setspn.exe -a MSOLAPDisco.3/serverHostName.Fully_Qualified_domainName Browser_Service_Startup_AccountIf you must create the SPN for the Browser Service that is running under the LocalSystem account, run the following commands at a command prompt:
Setspn.exe -a MSOLAPDisco.3/serverHostName Browser_Service_Startup_Account
Setspn.exe -a MSOLAPDisco.3/serverHostName.Fully_Qualified_domainName serverHostName Setspn.exe -a MSOLAPDisco.3/serverHostName serverHostName
To verify SPNWhen the service is running under a Domain account:
Setspn –l Browser_Service_Startup_AccountWhen the service is running under the LocalSystem account:
Setspn -l serverHostName
Article ID: 950599 - Last Review: December 20, 2010 - Revision: 3.0