SPN(Service Principal name)服务器主体名称。
SPN 是服务在应用 Kerberos 身份验证的网络上的惟一标识符,它由服务类、主机名和端口组成。在应用 Kerberos 身份验证的网络中,必须在内置计算机帐户(如 NetworkService 或 LocalSystem)或用户帐户下为服务器注册 SPN。对于内置帐户,SPN 将主动进行注册。然而,如果在域用户帐户下运行服务,则必须为要应用的帐户手动注册SPN。
客户端连贯Sqlserver实例报SPN谬误的解决办法
1、先登录Sqlserver实例服务器执行setspn -L dai\sqlprocess |find "machine name"查看相干Sqlserver实例对应的服务器信息,看是否有有效信息,有有效信息或反复信息则应用setspn -D删除它
2、再通过Microsoft Kerberos Configuration Manager for SQL Server客户端工具,连贯相干Sqlserver实例的服务器,只输出服务器名即可,查看相干服务器是否失常
3、最初应用setspn -D、setspn -A重建该Sqlserver实例对应服务器的所有SPN信息,应用setspn时须要administrator模式运行cmd
4、换一个客户端机器试试,有时是某个客户端机器本身无奈取得域、dns、dhcp服务器上的信息,或该机器还没及时同步到域、dns、dhcp服务器上的信息,连贯Sqlserver也会报SPN谬误
5、如果服务器有别名,而后AG的监听应用了别名,则必须应用服务器别名alias注册到spn中,即setspn -A aliasname:1433 dai\sqlprocess
6、邮件报警Server Name对应DBPROD2示意DBPROD2的spn出了问题,对应DBPROD2\BI1示意DBPROD2\BI1的spn出了问题,DBPROD2可能是别名也可能是服务器名
7、重建SPN后,如果没有及时失效,可能须要等等过一会才会失效。
8、最好的验证办法就是,间接点击某个linked server,看是否连贯测试胜利,如下示意DBDEV1拜访不了12.2.37.123对应的linked server。
DBDEV1 Logon Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided. [CLIENT:12.2.37.123]
9、linked server报错,Cannot generate SSPI context,是因为netlogon服务起不来导致,computer management--local user and groups--groups--adminstrator组上面的用户都是一些阿拉伯数字,看不到域用户。netlogon起不来是因为workstation起不来,而workstation起不来,是因为应用了local system account,应用network service用户并保留明码框为空即可,这种状况下,kerberos外面输出这台服务器都无奈登录,会报错:The was an issue with accessing UserAccount information from the system
10、linux服务器拜访sqlserver实例报错SSPI Provider: Server not found in Kerberos database (851968) (SQLDriverConnect)
解决办法1:
个别windows服务器拜访sqlserver实例,在SPN外面写的是sqlserver实例对应的服务器名称,linux的话,看linux配置的字符串,如果字符串外面是实例名称,则须要把实例名称写入SPN,比方开发的配置文件写的是sqlserver实例名称ibdwonstagedbalias,该服务器名称stagingdbaws1,SPN外面的信息只有服务器stagingdbaws1名称,增加实例名称到SPN即可
setspn -A MSSQLSvc/ibdwonstagedbalias.d.com:1433 dai\sqlprocess
setspn -A MSSQLSvc/ibdwonstagedbalias.d.com dai\sqlprocess
解决办法2:
如果不是以上1的情景,那么起因可能是linux服务器上crontab服务呈现问题导致crontab的外面游戏的credential-renew.sh没有运行,能够通过less /var/log/cron |grep "credential-renew.sh"查看这个crontab的运行记录,credential-renew.sh可执行文件外面命令是kinit
解决办法3:
如果不是以上1、2的情景,通过date查看linux服务器工夫,如果是linux服务器的工夫和域控工夫不一样,这个时候在linux服务器上顺次执行systemctl status ntpd、systemctl stop ntpd、ntpdate 12.2.10.66(域控服务器ip)、systemctl start ntpd
1、In SSMS, connect to the SQL instance that you are going to recreate the SPN records for
2、Open the SQL Server logs
3、Filter results based on "spn" in the message text
Don't forget to click the "Apply filter" checkbox
4、You may have to filter through older logs and not just the "Current" log to find the records that start with the message:
"The SQL Server Network Interface library succesfully registered the Service Principal Name..."
5、Copy the SPN portion of both messages and paste them into a Notepad
One record has the port number at the end and the other has the instance name
If it is the default instance then the port number will be 1433 and the instance name will be absent
6、With the two SPN records in Notepad, replace the machine name of the server with the alias
The alias is either a C-NAME DNS record or an Availability Group listener such as: PROD2, PDBALIAS, etc
7、Remote into the server as your domain-admin account
8、In your RDP session to the server, run CMD as administrator
9、Use the following syntax to delete the existing SPN record (if it exists) then recreate iwww.sangpi.comsetspn -D MSSQLSvc/PROD2.d.com:52219 dai\sqlprocesssetspn -A MSSQLSvc/PROD2.d.com:52219 dai\sqlprocess
10、Do the same for both records (port and instance name)
setspn -D MSSQLSvc/PROD2.d.com:BI1 dai\sqlprocess
setspn -A MSSQLSvc/PROD2.d.com:BI1 dai\sqlprocess
集体域账号登录服务器,运行cmd以administrator权限模式,执行如下
setspn -L dai\sqlprocess | find "服务器名称PROD2" > C:\spn.txt
setspn -D MSSQLSvc/PROD2.d.com:52219 dai\sqlprocess
setspn -A MSSQLSvc/PROD2.d.com:52219 dai\sqlprocess
setspn -D MSSQLSvc/PROD2.d.com:BI1 dai\sqlprocess
setspn -A MSSQLSvc/PROD2.d.com:BI1 dai\sqlprocess
验证Sqlserver SPN的图形界面的客户端工具Microsoft Kerberos Configuration Manager for SQL Server,下载安装包后装置到某台域服务器中,间接登录该域服务器,关上这个工具,输出要连贯的服务器A,就能够看到这个服务器A外面的所有的Sqlserver实例的SPN信息是否OK就能够了。