The Kerberos Configuration Manager is a really handy tool that can make configuring Kerberos a much easier task, but it’s got a nasty little bug. Configuring Kerberos can be tricky. In what way you ask? Here is a short list of just some of the things you have to consider.
- What is my SPN supposed to look like?
- Should I let SQL Server handle registering my SPNs or should I do it manually?
- Are there special considerations if I’m running a failover cluster?
- Where does the SPN go?
- Do I have permissions to add/change/remove SPNs and if not what is the permission I need to request?
- Do I need delegation enabled and on which account?
That’s the short list, but you don’t have to worry about all that stuff because you have the Kerberos Configuration Manager, right? Not so fast.
This tool works great for most scenarios, but if your environment has a split DNS, multiple domains, or multiple DNS name spaces you better take a second look at the SPNs it suggests. Many DBAs are not familiar with these concepts so let me give a real simple explanation and then we can work through an example. A split DNS is where hosts are resolvable in more than one namespace. This is fairly common when companies merge or buy out other companies.
Let’s say the company “Movie Studio A” uses the DNS namespace of movies.com and all hosts are registered in that domain. When they create their active directory they decide to call it MovieStudioA.com. They join all their servers to the domain and use movies.com as their primary domain suffix. Server1 is now resolvable as server1.movies.com and server1.moviestudioa.com. The problem here is if you open a command prompt and ping “Server1” it will resolve it as server1.movies.com because of the DNS suffix.
Kerberos will only work with the Active Directory domain name and NOT any other resolvable DNS namespace. Unfortunately the Kerberos Configuration Manager makes SPN suggestions based on how the client machine resolves the server name you input. What it should do after resolving and contacting the server is get the domain it is joined to and correctly build the FQDN, but that is not the case.
Let’s see what it looks like. I have a server called Server1 that is joined to the stars.com domain. The FQDN is Server1.stars.com. This server is also registered in another DNS namespace called DNSOnlyDomain.com. Here is what the Kerberos Configuration Manager says the SPNs should be.
Those SPNs are not correct because they are from a DNS domain and not the Active Directory domain. They should reflect the Active Directory domain and look like this.
If you are using the Kerberos Configuration Manager make sure you know what Active Directory domain your server is joined to so you can identify if the suggested SPNs are correct.