I've set up a SQL Server service account with permissions to read and write service principal names. When SQL Server starts up I get the expected message in the logs showing that the service account has successfully registered the SPN:
The SQL Server Network Interface library successfully registered the Service Principal Name (SPN) [MySPN] for the SQL Server service.
Connections to the database server use Kerberos authentication as expected and all seems well.
However, when I shut down SQL Server a message is entered in the logs showing that the SPN could not be deregistered:
The SQL Server Network Interface library could not deregister the Service Principal Name (SPN) [MySPN] for the SQL Server service. Error: 0x6d3, state: 4. Administrator should deregister this SPN manually to avoid client authentication errors.
I've checked that there are no duplicate SPNs and checked that the SPN is registered to the correct service account, and only to that account. The server has been rebooted several times. Microsoft's Kerberos Config Manager doesn't offer any insight.
I don't understand why the service account would be permitted to create the SPN but not permitted to delete it.
As per this question You could try repairing the SQL Server installation from Add/Remove Programs in control panel. This will restart the service so you may have to perform this out of hours
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With