March 20, 2013 at 11:12 am
The user account used for SQL Services has to have local admin privileges and the Log on as a Service right.
----------------------------------------------------
March 21, 2013 at 8:43 am
I usually have to use:
setspn -A MSSQLSvc/Servername.Domain.TopLevelInternalDomain:PortUsually1433 Domain\ADServiceAccount
July 10, 2014 at 10:30 am
I have tried all these fixes an none worked....any other suggestions?
changed service account
drop server name/re-added.
Any other suggestions. In our environment this happened out of the blue....a user called and could not connect, i am able to connect with SQL authentication.
July 10, 2014 at 12:23 pm
MMartin1 (3/20/2013)
The user account used for SQL Services has to have local admin privileges
Not true - the user account used for SQL Services does not (and should not, in any high security installation) have local admin rights, much less domain admin rights.
The user account does need permissions to a variety of directories for SQL Server files (sometimes it's easier to use
icacls * /reset /t
to reset security on entire subdirectory trees).
There are some Group Policy permissions that are required or recommended; the set I use includes some for proxy users:
gpedit.msc
Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignments
Act as part of the operating system
Adjust memory quotas for a process
Bypass traverse checking -- proxy user use, I think
Lock pages in memory -- a subject of some debate
Log on as a service
Perform volume maintenance tasks -- required for instant file initialization
Replace a process level token -- proxy user use, I think
July 10, 2014 at 12:26 pm
Giving the Service account 'domain admin' privileges for a brief time allowed the SPN error to correct itself or register properly.
Thank you
July 11, 2014 at 3:11 am
TryingToLearn (7/10/2014)
Giving the Service account 'domain admin' privileges for a brief time allowed the SPN error to correct itself or register properly.Thank you
Exactly what you shouldnt do.
Either grant the new account the AD permissions
readServicePrinciple
writeServicePrinciple
or have an AD admin manually create the required SPN
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply