tags:

views:

5302

answers:

3

In the SharePoint install document I have it says,

If you use a domain user account for the SQL Server service account, you must make sure that a valid service principal name (SPN) for that account and instance of SQL Server on their database server exists in their environment. This is the case regardless of whether you use NTLM or Kerberos authentication for Office SharePoint Server 2007.

You must configure the SPN for that account in the domain using the Setspn.exe command-line tool. Setspn.exe is installed by default on computers running Windows Server 2008. Run the following command on a computer that is joined to the same domain as the user/service account.

setspn -a <http/<farmclusterdnsname> <serviceaccountname>

What should the parameters be in this case?

I guess the serviceaccountname would be 'domain\username' not sure what the first parameter should be though.

This is the technet link for SetSPN.

A: 

I'm not 100% sure about this, but I know how to use SetSPN from Win2k, so I'd say you want "http/servername" if you are running on a single server, where 'servername' is the DNS name of that server.

If it doesn't work, it shouldn't break anything, and you can just remove the spn from the principal with SetSPN.

codekaizen
+5  A: 

The syntax would look something like the following:

SetSPN -a http/www.mywebsite.com serviceaccountname

or

SetSPN -a http/www.mywebsite.com domainname\serviceaccountname

Try and think of it this way: You want to register the owner of the http service for www.mywebsite.com to the domain\serviceaccountname directory object. This spn entry allows the authentication tickets to be encrypted with the password registered for the owner (serviceaccountname) of the service (http) on the registration name (www.mywebsite.com).

After you have added the SPN entry you can verify the results by using the 'SetSPN -l' on the owner (serviceaccountname) by executing the command:

SetSPN -l serviceaccountname

One thing to point out. You can only have one owner for the service (http) and the registration name (www.mywebsite.com) in the environment. It might be possible to accidentially end up with more than one.

Use the SetSPN -l option to lookup the registration entries for the computer object where SharePoint is installed to make sure there isn't already an entry: ex.

SetSPN -l SharepointServer.domain.com
SetSPN -l SharepointServer

You can read much more about how SPN works at the Microsoft TechNet web site.

Dscoduc
In MS.CRM we often ran into problems re delegation permission that needs to be set on the machine account via active directory user tool, as well as the service principal name, does that cause problems for Share point as well? What tools do you use to troubleshoot this? Just wondering
Rihan Meij
The delegation usually is for Kerberos Constrained Delegation and could effect SharePoint if you have configured SharePoint to reach out to external resources on behalf of the user.
Dscoduc
A: 

You can download a Kerberos SPN Generation tool that may help you with this issue for multiple Microsoft BI products. Try http://futuresults.com

Robert