An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server Analysis Services

Extended support for SQL Server 2005 ended on April 12, 2016

If you are still running SQL Server 2005, you will no longer receive security updates and technical support. We recommend upgrading to SQL Server 2014 and Azure SQL Database to achieve breakthrough performance, maintain security and compliance, and optimize your data platform infrastructure. Learn more about the options for upgrading from SQL Server 2005 to a supported version here.

Symptoms
Consider the following scenario. You establish a connection to a named instance of Microsoft SQL Server Analysis Services. Then, the SQL Server Browser service determines the port on which the named instance is available. The connection uses Kerberos authentication. In this scenario, a service principle name (SPN) for the SQL Server Browser service is required in addition to the SPN for the named instance of Analysis Services. If the SPN for the SQL Server Browser service does not exist, Kerberos authentication fails. 
Cause
This behavior occurs only when the connection string contains the SSPI=Kerberos parameter. In this case, the connection is forced to use Kerberos authentication, and the SPN for the SQL Server Browser service must be configured.

If the connection string does not contain the SSPI=Kerberos parameter, Kerberos authentication is typically used. The connection to the SQL Server Browser service uses NTLM and the NT_ANONYMOUS account instead. In this case, the connection to the SQL Server Browser service is successful. The SQL Server Browser service determines the correct port. Then, the actual database connection uses Kerberos authentication to provide the true authentication.
Resolution
You must create an SPN for the SQL Server Browser service by using the account under which the SQL Server Browser service is running.

The format of a NetBIOS SPN is as follows:
MSOLAPDisco.3/serverHostName
The format of a fully qualified domain name SPN is as follows:
MSOLAPDisco.3/serverHostName.Fully_Qualified_domainName

How to Register SPN

You must be a member of the Domain Administrators group to run the Setspn command.

To create the SPN for the Browser Service that is running under Domain Account, run the following commands at a command prompt:
Setspn.exe -a MSOLAPDisco.3/serverHostName.Fully_Qualified_domainName Browser_Service_Startup_Account

Setspn.exe -a MSOLAPDisco.3/serverHostName Browser_Service_Startup_Account
If you must create the SPN for the Browser Service that is running under the LocalSystem account, run the following commands at a command prompt:
Setspn.exe -a MSOLAPDisco.3/serverHostName.Fully_Qualified_domainName serverHostNameSetspn.exe -a MSOLAPDisco.3/serverHostName serverHostName

To verify SPN

  When the service is running under a Domain account: 
Setspn –l Browser_Service_Startup_Account
When the service is running under the LocalSystem account: 
Setspn -l serverHostName
Status
This behavior is by design.
Propiedades

Id. de artículo: 950599 - Última revisión: 01/16/2014 17:51:00 - Revisión: 4.0

Microsoft SQL Server 2005 Analysis Services, Microsoft SQL Server 2005 Developer Edition, Microsoft SQL Server 2005 Enterprise Edition, Microsoft SQL Server 2005 Standard Edition, Microsoft SQL Server 2008 Analysis Services, Microsoft SQL Server 2008 Developer, Microsoft SQL Server 2008 Enterprise, Microsoft SQL Server 2008 Standard, Microsoft SQL Server 2008 R2 Analysis Services, Microsoft SQL Server 2008 R2 Developer, Microsoft SQL Server 2008 R2 Enterprise, Microsoft SQL Server 2008 R2 Standard, Microsoft SQL Server 2012 Analysis Services, Microsoft SQL Server 2012 Developer, Microsoft SQL Server 2012 Enterprise, Microsoft SQL Server 2012 Standard

  • kbtshoot kbprb KB950599
Comentarios