Consider the following scenario. You establish a connection to a named instance of Microsoft SQL Server Analysis Services. Then, the SQL Server Browser service determines the port on which the named instance is available. The connection uses Kerberos authentication. In this scenario, a service principle name (SPN) for the SQL Server Browser service is required in addition to the SPN for the named instance of Analysis Services. If the SPN for the SQL Server Browser service does not exist, Kerberos authentication fails.
This behavior occurs only when the connection string contains the SSPI=Kerberos parameter. In this case, the connection is forced to use Kerberos authentication, and the SPN for the SQL Server Browser service must be configured.
If the connection string does not contain the SSPI=Kerberos parameter, Kerberos authentication is typically used. The connection to the SQL Server Browser service uses NTLM and the NT_ANONYMOUS account instead. In this case, the connection to the SQL Server Browser service is successful. The SQL Server Browser service determines the correct port. Then, the actual database connection uses Kerberos authentication to provide the true authentication.
You must create an SPN for the SQL Server Browser service by using the account under which the SQL Server Browser service is running.
The format of a NetBIOS SPN is as follows:
The format of a fully qualified domain name SPN is as follows: